Tuesday, May 31, 2005

#56 Who will buy Microsoft Antivirus?

Two weeks ago we commented on how Symantec and MacAfee were not all that concerned that Microsoft was entering the AV market, as it was targeted initially at consumers and at their mail gateway and that they (Symantec and McAfee) had a head-start on the enterprise desktop market. This made sense to me since I shared a similar view to someone quoted in the article, namely that "Buying security software from Microsoft is like buying medication from a doctor who has been successfully sued for malpractice."

But it would seem that in spite of all the security dysfunction around Microsoft, the [IT] ecosystem will be willing to try anything it offers. And its marketing and market muscle is not to be underestimated. According to the survey of 100 CIOs' software-buying plans that Forrester Research conducted for the investment bank Credit Suisse First Boston LLC, seven in 10 CIOs surveyed say they'd consider licensing a Microsoft antivirus product. Also according to the article, enterprise resource planning, security, and business intelligence are the year's top spending priorities.

It's too early to determine Microsoft's fate in the enterprise antivirus market, Credit Suisse First Boston says. It could gain a foothold in the market through aggressive pricing. The key will be how it optimizes the link between its security systems and the Windows platform. Still, any impact on other security software vendors will be minimal over the next 12 to 18 months, the report concludes.

I think that if the products are technically good, (and there is every indication that they are) then Microsoft will yield the power of pricing to disintermediate this market. They are big enough, and the AV market is small enough in comparison to the rest of their business, for them to be able to achieve this without blinking.
Rate this post: (Provided by NewsGator)

#55 IM in the firing line

I have been watching the level of press on IM and P2P exploits notching up over the last two weeks and found an article that summed it all up nicely. I think that IM exploits are about to move from the "nuisance level" to the "business continuity" level very shortly and as with all previous new mediums used to launch exploits (such as Blaster etc) that make it into the big time, when it hits, it hits hard and takes everyone by surprise.

The quantity of attacks are increasing rapidly because hackers have discovered three things about IM. Firstly your defenses are down in IM - unlike e-mail, you're not yet trained to be suspicious of IM. Second is that IM uses a model where messages come from IDs that you implicitly trust. You might have just had a IM conversation with someone down the hall when you receive a worm from that same person. Thirdly IM is more susceptible to social engineering bait that leans on current events or private non-work related downloads, since users have moved from email to IM to excersise chats, casual banter and private file swapping/jokes.

Expect the noise on this topic to get louder in the ensuing months...
Rate this post: (Provided by NewsGator)

Monday, May 30, 2005

#54 ZombieMeter keeps count of hacked PC's

Here's an interesting addition to our industry...

Internet security company CipherTrust on Thursday breathed life into its ZombieMeter, a new system that tracks traffic from compromised PCs around the world. Available on the CipherTrust Web site, the ZombieMeter tracks the number of new 'zombies' per hour and is designed to help identify Internet security threats, the company said in a statement.

So far this month, CipherTrust has found an average of 172,009 new zombies each day. About 26 percent of those were found in the European Union, 20 percent in the United States and 15 percent in China, the company said.

You can view the ZombieMeter here:
Rate this post: (Provided by NewsGator)

#53 Employee awareness is sadly lacking

This was an interesting read about the lack of user awareness or education training around IT security and the obvious impact it has on your organisation.

In an Ernst & Young study, more than 70% of 1,233 organizations surveyed failed to list training and raising employee awareness of information security issues as a top initiative. Even though 93% of businesses have antivirus software in place, 72% of businesses received infected e-mail files during 2004, and roughly two-thirds of large businesses experienced virus infections or denial-of-service attacks last year. And still, less than half of Ernst & Young's respondents provide their employees with ongoing training in security. According to Meta Group research, 75% of organizations have found that lack of user awareness damages their security programs' effectiveness. Organizations across every industry must take the time to develop a security awareness program, which could turn out to be the missing link -- the most powerful link -- in their chain of defense.

This really presses home a point that I always harp on with my customers, and even though they acknowledge the benefits, very few manage to execute on such a plan. This article goes on to make some suggestions for hard pressed CSO's or IT Managers about how to kick such a program off.
Rate this post: (Provided by NewsGator)

#52 EU leads with Zombie infections

Here is something that not everyone knows.

The European Union leads the world in the number of computers that are controlled remotely by hackers. So-called zombie PCs are infected with viruses or penetrated through poor patching and used to send spam or launch denial of service attacks. Data from email security specialist CipherTrust shows that 26 per cent of all PCs infected in May are located in the EU, compared with 20 per cent in the US and 15 per cent in China.The UK accounted for three per cent of the world's total, with Germany leading Europe at six per cent. Over May an average of 172,000 new PCs were infected each month.

The U.S. Federal Trade Commission, in conjunction with regulatory bodies in about 30 countries, is about to launch an education campaign directed at Internet service providers (ISP). Its message? "Zombies are out of control. " These "zombie" networks account for a large percentage of unsolicited e-mail being sent on the Internet, said Don Blumenthal, Internet lab coordinator at the FTC. "I've seen estimates that anywhere from 80% to 90% of the spam out there is processed through" zombie networks, he said. "It is certainly a critical problem."
Rate this post: (Provided by NewsGator)

#51 Impact of regulation on IT Security Spending

Here's an interesting article compiled from input of a number of leading analysts that concludes that regulation has driven most IT security spending to date but that this is likely to taper off as a driver. Security budgets are likely to peak at 6% of IT budget in 2006. It would seem a dose of realism is about to set in with regard to regulations and although it wont drive IT security spending as much anymore, other factors such as ID theft, Spyware etc will take a stronger role in driving security spend.
Rate this post: (Provided by NewsGator)

Friday, May 27, 2005

#50 Virus writers go under the radar

In what is certainly disturbing news, Kasperspy Labs reports that Virus authors are choosing not to create global epidemics--such as Melissa, Netsky, MyDoom or Blaster--because that distracts them from their core business of creating and selling botnets.

In a previous blog entry I warned that the 2004/5 virus outbreaks were merly the sideshow for what is nothing more than a "landgrab" by hackers aiming to grow their botnet armies for the purposes of selling them off to organised crime. (Botnets are groups of computers that have been infected by malware that allows the author to control the infected PCs, and then typically use them to send spam or launch DDoS attacks.)

Speaking at the AusCERT conference on Australia's Gold Coast on Tuesday, Eugene Kaspersky, founder of Kaspersky Labs, said that the influence of organised crime on the malware industry has led to a change of tactics, echoing comments made in March of this year by Mikko Hyppönen of F-Secure. Instead of trying to create viruses and worms that infect as many computers as possible, malware authors are instead trying to infect 5,000 or 10,000 computers at a time to create personalized zombie armies.

I think there is another psychological factor we are missing here - the hackers have become acutely aware that the massive outbreaks create all kinds of hype and press coverage and "tip off" the users to be more wary, or even worse clean up their PC's whereas by "toning down" their infection strategies they slip under the radar and get to implement their dastardly deeds.

Ever wondered why none of these viruses etc. actually cause any damageto the infected host? The only damage we ever witness is the flood of spam or traffic when the virus attempts to replicate itself.
Rate this post: (Provided by NewsGator)

MCI employee data stolen in laptop theft

MCI is evaluating new corporate security technologies and policies following the theft of a staffers notebook computer containing personal information on about 16,500 current and former employees, the company said Monday.

I wonder how much sensitive information is floating around on a typical Fortune 1,000's collection of laptops? At the very least disk encryption should be employed on sensitive data, even if it is the weaker one provided with the Windows XP operating system.
Rate this post: (Provided by NewsGator)

Wednesday, May 25, 2005

#48 Ransom-Ware

Here's a new one for the books.

It would seem that "unorganised" crime in the form of hackers have taken a cue from their more organised bretheren for extortion.

Computer users already anxious about viruses and identity theft have new reason to worry: Hackers have found a way to lock up the electronic documents on your computer and then demand $200 over the internet to get them back. Security researchers at Websense uncovered the unusual extortion plot when a corporate customer they would not identify fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets.A ransom note left behind included an e-mail address, and the attacker using the address later demanded $200 for the digital keys to unlock the files.

The new type of attack has been dubbed "Ransom-Ware"
Rate this post: (Provided by NewsGator)

Tuesday, May 24, 2005

Public worried about online ID theft

In a survey commissioned by software firm Intervoice, 17% of people said they had stopped banking online while 13% had abandoned web shopping.

This came as no surprise, especially in the light of all the press around this issue and some of the stupifying numbers being bandied about with ID theft and particluarly phishing. The strange thing is the Banks are not actually worried about the fraud loss itself, as this is insignificant compared to traditional credit card fraud. Their main concern is the credibility of their online offerings.

For a while now everyone thought Joe Public wouldnt be as concerned with all the breaches, but now they have been proved wrong with many surveys yielding that online fears of consumers are rapidly rising to the point where it could seriously dent public e-commerce.

Many e-traders and banks are now offering tokens to their clients to address this issue and those that haven't yet are seriously looking at it.
Rate this post: (Provided by NewsGator)

Microsoft OneCare sceptics start surfacing

After chewing on the recent Microsoft OneCare announcements, the sceptics are starting to come forward. I found this entertaining and informative reading, and something to chew on...

Will users trust Microsoft to manage and secure their PCs? If history is any indicator, the answer could be no.

Do users trust Microsoft enough to allow the Redmond vendor to secure their systems?
Microsoft has been testing out, for at least two years, the concept of offering consumers security and management services on a hosted basis. (It did so via a prototype known as the PC Satisfaction Trial.) Earlier this month, the Redmond software vendor went public with its plans to launch the resulting MSN-branded subscription service, code-named A1—and officially christened "Windows OneCare."

Mike Nash, head of the company's security technology and business unit, said during a Webcast this week that Microsoft was planning an enterprise version of OneCare. Now company officials are saying that "there are no current plans" for such a product. But Gartner Group and other pundits are predicting Microsoft will, indeed, field something like OneCare for corporate users.
Rate this post: (Provided by NewsGator)

Security is most pressing IT issue in UK

A poll by the British Computer Society (BCS) has revealed that security remains one of the most pressing worries for IT managers.Almost four out of five of those questioned indicated that an effective IT security infrastructure is key to the UK's competitiveness in the global market.

Top of the shopping list for BCS members is spending on security products, followed by application security software and mobile computing

Surprised anyone?
Rate this post: (Provided by NewsGator)

US Govt report tackles VOIP security

A new U.S. government report issued by NIST (National Institute for Standards and Technology) weighs in on voice over IP (VoIP) security, offering valuable guidelines for solution providers and end customers.While noting the potential of the technology, such as lower costs and greater flexibility, the report states that those deploying VoIP must do more than just plug VoIP components into existing IP networks.

Despite the healthy caution, solution providers believe that VoIP systems can be made at least as secure as the technology they replace—as long as security figures prominently in solution deployment. "Because VoIP is shared infrastructure, you need to apply the same defense-in-depth strategy you would with any network infrastructure," says Chris Thatcher, national practice director, enterprise security at Dimension Data North America, Reston, Va. "Successful VoIP means placing the right controls around key assets throughout the infrastructure to mitigate risk."

For more information, see NIST Special Publication 800-58, Security Considerations for Voice Over IP Systems, available at http://csrc.nist.gov/publications/nistpubs/index.html.

If you belong to the Dimension Data Security community you can download our new global guidelines and templates for a Secure VOIP solution from the portal. The solution was developed in conjunction with our US, Africa and Australia practices.
Rate this post: (Provided by NewsGator)

Microsoft to abandon passwords

Microsoft has revealed at a security panel at CeBIT that it is preparing to dump passwords in favour of two-factor authentication in forthcoming versions of Windows. Detlef Eckert, the senior director in charge of Microsoft's Trustworthy Computing initiative, did not specify which form of two-factor authentication would be used in the next edition of the company's operating system, codenamed Longhorn.But he said that the code would have vastly improved handling of technologies including smartcards and security tokens. I believe that the time of password-only authentication is gone, said Eckert. We need to go to two-factor authentication. This is the only way to bring the level of trust business needs. The panellists were in broad agreement that better digital identity is essential for the future development of e-commerce. RSA Security chief executive Art Coviello suggested that the effects were already being felt, pointing out that some Australian banks have recently pulled out of planned web services because of security fears.

I guess that means we wont have to worry about all those pieces of paper and post-it-notes with passwords written on them anymore!
Rate this post: (Provided by NewsGator)

New Age Risk Assessments

It would seem that clients are turning their backs on the Risk Assessment as we know it. And it probably makes sense. The security landscape has changed much in the three years since the original detailed risk assessment was conceived, and turned into months long, $250K engagements by the big consulting firms to produce a 300 page report that nobody followed up on and had a shelf life of 3 months.
As a starter, the threats are better known and the proliferation of malicious code and worms pretty much guarantees your 100% probablity of being impacted by certain types of incidents. Current thinking, as embodied in various standards and industry-specific regulations, implies a holistic approach to risk management that comprises technical, operational, and administrative controls and the required assessments to establish their efficacy in managing the organization’s information technology (IT) risks.The results of various methods of risk analysis in common use in IT systems today are suspect because the source data and assumptions upon which their conclusions are based is subjective and may be flawed and inconsistent. The results of various vulnerability and penetration assessments are of limited value because they are based upon the assumption that all possible vulnerabilities can be known and tested for, clearly not a possibility.

Customers are turning to new-age methodologies such as FARES (Formal Analysis of Risk in Enterprise Systems) and OCTAVE from Carnegie Mellon University's Software Engineering Institute.

OCTAVE helps companies identify infrastructure vulnerabilities, prioritize information assets and create asset-specific threat profiles and mitigation plans. FARES introduces a novel technique that manages risks to an enterprise in terms of how well hardened, technically, operationally and administratively, the enterprise is against attack. Using the concept of formal analysis of communications channels between security policy domains, the Forensic Analysis of Risks in Enterprise Systems (FARES) process addresses threats, vulnerabilities, impacts and countermeasures from the perspective of forensic analysis of target enterprises responding to various threat models.

The intent is to use a rapid, more simplified methodology to fascilitate the adoption of security as a operational risk management issue, not as a tactical function.

For inof on OCTAVE, follow the topic link. For info on FARES follow this link: http://www.secureworldexpo.com/events/conference-details.php?cid=234
Rate this post: (Provided by NewsGator)

Seven deadly ID Management sins

Speak of the devil - no sooner had I completed the previous post when I came accross this article highlighting that the frailties of ID management come down to....you guessed it - people! All the more reason that telling your users to write down their average 12 "strong passwords" on pieces of paper does not solve your problems - especially if 75% of them will give up these passwords for a bar of chocolate!

The author opens up the article with "after three decades of observation, I have concluded that most IDM failures aren’t due to technology glitches. In fact, most of the leading IDM technologies serve their purpose well. Instead, the most common problems seem to result from how people interface with these systems. I call the causes of these fiascos the “seven deadly sins of identity management.” "
  1. Too much rigor reduces employee productivity.
  2. Tighter security measures can lead to back-end shortcuts.
  3. Too much convenience decreases end-user confidence
  4. Too much collection of personal information creates privacy risks
  5. Poor manual controls open the door to social-engineering risks
  6. Too much autonomy creates opportunity for malicious insiders
  7. Ignorance causes low-tech risks
Follow the hyperlink in the subject topic for an interesting and useful short read of 2 pages
Rate this post: (Provided by NewsGator)

Security Industry giving wrong advice on passwords for 20 years

Here's something from Australia I found interesting. A security guru at Microsoft says that the security industry is wrong to advice customers to prohibit them to write down passwords as that merely means users will use the same weak password everywhere. The advice should be to rather use different, but strong passwords.

Now forgive my ignorance, but shouldnt we rather be addressing the use of passwords itself as an issue that needs a rethink? To my mind the use of passwords, strong or weak, rely too much on the human element and we should rather be looking to IAM or Single-sign-on (SSO) solutions as a managed approach to identities?
Rate this post: (Provided by NewsGator)

Utility Security

One of the consequences of the security market maturing, and the convergence we are witnessing of security functionality into the OS and network, is that it will become "invisible" like most utilities such as dialtone, electricity etc., and taken for granted. What this means is that eventually its cost will become absorbed into "per seat pricing" pretty much like EDS and IBM revolutionised outsourcing 10 years ago with per-seat pricing.

We are witnessing this trend already. IBM Global Services has already announced a all-in-one desktop per managed seat service that includes security functions such as personal firewall, AV and patching. HP have just made an announcement that is slightly more focused on the security angle. It is interesting to note that they have teamed up with Symantec and the service includes data backup. Another point of interest is that nobody has yet cracked the answer to the question of what happens for compensation if a breach occus or data is lost - and therein lies the opportunity for this business model!

Hewlett-Packard is attempting to simplify security for small companies lacking IT resources or knowledge. The company has teamed with Symantec to help small and midsize businesses avoid virus and spyware attacks but will also offer services for patch management and data backup. HP will charge $20 per month per employee for a new security and data backup service. HP customers who were present Thursday in New York at the launch of the company's Smart Desktop Management Service said the move can be a big help to businesses. Chuck Ostrowski, director of IT for Los Angeles law firm Weston Benshoof, said that the math makes sense. "It might not stop something from happening, but it really decreases the risks," he said.

HP said the service will help small and midsize businesses keep critical business processes running and will back up the most important data for customers. But when launching the service, the company was unclear about its commitment to pay up if it lost any customer data. When asked whether it would give compensation, company executives didn't have an answer. "It's a good question, but I don't know the answer," said Kevin Gilroy, senior vice president and general manager for HP's small and medium-size business unit. "The question that is interesting is how you put a value on that data."
Rate this post: (Provided by NewsGator)

Friday, May 20, 2005

Microsoft Sells ID Management plan

For years we have been building security into our infrastructure with firewalls, VPN's, IDS/IPS, Antivirus, etc. but the industry and clients are finally realising that more is required. The emergence of Identity Based Security Models such as NAC and the TNC consortium architecture, and press around massive ID thefts and online banking fraud have pushed the focus back on identities. In a previous blog entry I discussed that 2005/6 was the year of IAM. Now Microsoft is getting in on the action which further cements this trend moving forward.

Microsoft last week laid out a model for a distributed identity infrastructure designed to simplify access to corporate resources and protect user privacy across the Internet.

The model begins with a seven-point conceptual representation of digital identity that Microsoft has been discussing with industry experts, including the open source community, for a month. Last week, Microsoft released a description of its Identity Metasystem architecture, which adheres to the conceptual representation. The company also said it was readying client, server and development tools for users to build an open and extensible identity system based on Web services protocols that is compliant with the Metasystem outline.

Rate this post: (Provided by NewsGator)

Dangers of all-in-one appliances

The recent launch by cisco of its "all-in-one" adaptive security appliance (ASA) raises the question again about "best of breed".

Today, most security consultants advice against using one device to offer all your protection services, saying that this idea goes against the grain of multi-layered security and the risks imposed by the one appliance being compromised.

So today, pretty much all of our customers go for "best of breed" point purchases. Now remember Network Associates failed with their all-in-one approach a few years back, then Symantec picked up the flag 2 years ago and have been preaching the all-in-one appliance story since then, but they also really have not seen the traction they would like. Now with Cisco and Juniper announcing their all-in-one wares (much to the delight of Symantec I would imagine) things are likely to get interesting.

Attached is a link to a thought-provoking article that discusses the issues of "best of breed" versus "best of suite", no doubt we will come up against them when talking to our clients about this emerging trend in the market.
Rate this post: (Provided by NewsGator)

Bridging the gap between Operations and Security

It is a common observation among many customers I have visited that the IT operations teams and the Security Operations teams operate independantly from each other. With the convergence of security into the network, this will have to change.

I found a nice paper that touches on where operational and security overlap and how to address them effectively and affordably.

"The segregation between the IT Security and Systems Operations functions is well entrenched. This white paper, "IT SecureOps: Four Principles of Success," offers your organization a solution guide, highlighting four problem areas where operational and security responsibilities overlap and how to address them effectively and affordably.
Rate this post: (Provided by NewsGator)

Dummies Guide to Network Compliance & Security

Folks, I have had very positive response from people who read my blog article on the compliance e-book last week. It would seem that this is going to be a classic.

I am re-posting about this ebook today to ensure some of you don't miss the previous article buried in the blog archives for last week, and urge you to glance through it. Its really the only "Dummies guide to compliance" I have managed to find yet.

Get tips from experts on how to approach network security & compliance. In this free eBook, IT professionals will receive valuable advice on how to meet industry standards (SOX, HIPAA), implement best practices (ITIL) and adhere to corporate security standards. Topics include: * Understanding IT Compliance & Security; * Traditional Compliance Techniques; *IT Compliance & Security for Today; * Compliance Best Practices.


or try this to skip entering of registration details etc.
Rate this post: (Provided by NewsGator)

3Com to integrate IPS with switches and routers

It seems that everyone is on the convergence bandwaggon following the Juniper,Microsoft and Cisco announcements of embedding security into their core fabrics.

3Com later this year will integrate its intrusion-prevention gear (from the Tipping Point aquisition) with its network equipment in an effort to let customers quarantine attacks by shutting down switch ports and redirecting users to restricted virtual LANs.The company's network switches will respond to commands from its TippingPoint Intrusion Prevention System (IPS) that sits in-line with traffic, inspecting packets to Layer 7 at wire speed and throttling or blocking suspicious traffic. The IPS will be packaged in blades that plug into 3Com switches and routers. 3Com bought TippingPoint last year.

According to the article, "With the new capabilities, the IPS can make switches close ports or shunt traffic to secure VLANs to quarantine devices and network segments where worms are found"

I'm sure it has to be more than that though and wonder whether they are going to develop their own type of NAC solution or joing the TNC consortium, since adaptive security is surely more than detecting and quarantining attacks - what about checking the identity and integrity of the devices connecting to the network in the first place?
Rate this post: (Provided by NewsGator)

Microsoft Plans Enterprise Antivirus Effort

OneCare is obviously just the beginning. The problem with most of Microsofts security efforts to date is that they are consumer targeted, but at this years RSA conference they made no bones about the fact that they were eyeing the enterprise.

Microsoft plans to deliver antivirus technology to its enterprise customers in the future, a key Microsoft security executive confirmed Tuesday.

During the company's monthly security briefing, a key security executive confirmed that Microsoft intends to make available for its large corporate accounts antivirus like the one that will be part and parcel of the Windows OneCare service for small businesses and home users that was unveiled May 13.

"We'll have an enterprise version," but Microsoft needs to offer centralized management capabilities before launching such a service for corporate customers, said Mike Nash, corporate vice president of Microsoft Security Business & Technology Unit. He declined to provide additional details about an enterprise version or when it would launch.
Rate this post: (Provided by NewsGator)

Thursday, May 19, 2005

Identity & Access Management (IAM) is hottest market for 2005/6

If 2005 is the year of Identity Theft, then it stands to reason that 2005 is the year of Identity and Access Management ..right? Well partly right. But there are a lot of other reasons that this is the year for IAM.

After years of being advertised as the next big thing, the identity and access management market is finally living up to the hype. Just before Christmas, Computer Associates bolstered its portfolio by grabbing Netegrity. BMC doubled the ante by buying Calendra and OpenNetwork, and even Oracle decided to take a break from acquiring application vendors when it snatched up Oblix.

What's behind the renewed interest?

First, there are those bothersome Sarbanes-Oxley Act regulations, which mandate that executives certify their financial results, lest they wind up in the pokey. But that's not all. A recent ESG Research report found that 55 percent of users surveyed believe that access control is their organization's highest security priority in relation to Sarbanes-Oxley compliance.

Then there's the security angle. Some 46 percent of users in the same ESG Research survey said they had found active accounts belonging to ex-employees after auditing their networks. This is the equivalent of leaving your front door wide open while you sleep.

So it's not surprising to find renewed interest in tools that provide the ability to quickly provision accounts for new hires and deprovision accounts for problem employees. That's the point of identity and access management technology, which can restrict what a user can actually do after they log on, and audit each action.
Rate this post: (Provided by NewsGator)

Checkpoint on the defensive

A 4 page detailed article on the woes of Checkpoint and the problems facing them.

The company on Monday plans to unveil a major upgrade across a number of product lines, moving to unify its perimeter, internal and Web security offerings with a common code base. The new NGX platform upgrades the core technology in its VPN, firewall and management software products.

But Check Point, a pioneer in firewalls and virtual private networks, faces vulnerabilities of its own. It has been slow to roll out new products, analysts say, and only recently has started to show signs of a willingness to change. The competitive landscape is looking harsher, too, with the looming presence of networking heavyweights such as Cisco Systems and Juniper Networks and software giants like Microsoft getting in on the action.Historically, Check Point has been slow to roll out new product lines, remaining largely dependent on its existing customers to renew their subscriptions every year, analysts say. They say the company's desire to maintain its high profit margins have impeded its willingness to take on risks, thereby affecting its ability to be first to market with new products, and that same desire keeps a lid on its spending for research and development.

At the same time, there's a cloud over a key source of revenue--licensing dollars--even as some customers are grumbling about increasing fees. "They're slowly falling behind the ball," said Gene Munster, an analyst with Piper Jaffray. "Check Point says that Cisco has been in their market for years and hasn't affected it, but all you have to do is look at their licensing revenue."
Rate this post: (Provided by NewsGator)

Largest security breach in US banking history

Oh, boy things just keep getting worse. Last year was "The year of the Worm", and this year will surely go down as "The year of Identity theft."

Electronic account records for some 500,000 banking customers at four different US banks were allegedly stolen and sold to collection agencies in a data-theft case that has so far led to criminal charges against nine people, including seven former bank employees. According to the U.S. Department of the Treasury, the crime is believed to be the largest breach of banking security in the U.S., local police said.
Rate this post: (Provided by NewsGator)

Bills from US Congress in wake of ID Thefts

And here it comes...watching the LexisNexus/Choicepoint/Ameritrade et al events unfolding over the last weeks it was inevitable that congress would jump into action as more and more revelations come to the fore.

WASHINGTON -- Expect the U.S. Congress to pass new rules regulating the way companies handle customer data after recent leaks of personal information by data collectors ChoicePoint and LexisNexis, among other companies.

Expect this one to go quicker than most since both Republicans and Democrats complain about ID theft. "Anyone has a near-perfect right to package your personal information and do almost anything they want with it,"
Rate this post: (Provided by NewsGator)

Learn from others mistakes!

Here is a well written article describing what we can learn from the lax security in corporate America following recent revelations at Bank of America, Ameritrade, LexisNexus, ChoicePoint, Polo Ralph Lauren, America Online and so on.

Going, going, gone are the days when gross security breaches can be shielded from public scrutiny. The California Security Breach Information Act, for example, requires state agencies and businesses that collect personal information from Californians to promptly disclose certain security lapses or face severe penalties.

Is it out of bounds to call it a sad state of affairs when politicians have to move in to protect what sterling IT outfits can’t seem to stay on top of?

The speed the situation improves will depend largely upon how much IT can watch and learn from the mistakes of others. In the spirit of minimizing your company’s risk and sparing you the awkwardness of pulling executives aside to darken their day, here are a few of the nastier moments in this year’s computer security journal, and expert advice on what you have to do to get a better night’s sleep.
Rate this post: (Provided by NewsGator)

Spit will ruin VOIP

Spam is back in the news, and it has a new name.

This time it's voice-over-IP spam, and it has the clever name of "spit" (spam over Internet telephony). Spit has the potential to completely ruin VoIP. No one is going to install the system if they're going to get dozens of calls a day from audio spammers. Or, at least, they're only going to accept phone calls from a white list of previously known callers.

By Bruce Schneier at his Weblog.
Rate this post: (Provided by NewsGator)

Organised crime gets in on the action

In a trend I have seen in many customers as long as 18 months back, criminals are increasingly targeting corporations with distributed denial-of-service attacks designed not to disrupt business networks but to extort thousands of dollars from the companies.

From the US to Europe and Africa, I have spoken with clients who have fallen victim to this extortion. Typically targeted are online gaming sites and payment providers or e-commerce sites that rely 100% on their servers and links being available all the time.

I have stated in a few white papers as early as 2003 that the spate of virus and malicious code/worms we have been witnessing for the last two years is merely Act-1 of the malicious code saga, laying the groundwork for millions of infected PC's "owned" by hacking groups who then on-sell their "real estate" of zombie armies to organised crime for DDos attacks for a "rental fee".

Those targeted are increasingly deciding to pay the extortionists rather than accept the consequences, experts say. While reports of this type of crime have circulated for several years, most victimized companies remain reluctant to acknowledge the attacks or enlist the help of law enforcement, resulting in limited awareness of the problem and few prosecutions.

The attached article goes into this in nice depth and is worth viewing
Rate this post: (Provided by NewsGator)

Storage managers site security as top concern

As a telling sign that security is becoming more a horizontal competence than a vertical one, and that security functionality will converge into the networking and systems fabric over time, it was revealed that protecting and securing data is the greatest challenge in storage management, according to a survey released last Monday by CompTIA, an IT trade association.

Security was cited as the top concern by one-third of 660 storage management execs surveyed between January and March. Management and administration of stored data was the second highest concern, cited by 17% of respondents, followed by speed of access to stored data (10%), and making data more accessible (8%).

No doubt all the recent fuss around some 2 million identities being lost from high profile data brokers and corporations and legislators pressing hard as response to the recent shocking revelations will lend further impetus to this concern.
Rate this post: (Provided by NewsGator)

Business inaction rolls in more CyberSecurity Laws

Failure by the business community to enact meaningful security standards has opened the door for Congress to step in and pass cybersecurity legislation. According to a Reuters report, just two companies adopted cybersecurity guidelines established in 2004 by the Department of Homeland Security and an industry-led task force. The guidelines called for CEOs to take direct responsibility for their computer systems.

Experts say that corporations are more concerned with legal risk than the risks posed by hackers, and legislation is therefore the only way to enforce security.

Recent scandals at LexisNexis, AmericaOnline, Bank of America, ChoicePoint, Time Warner etc.,involving the exposure of over 2 million customers' data has shed new light on the issue and are putting pressure on lawmakers to act if businesses don’t.
Rate this post: (Provided by NewsGator)

Harsh education

It would seem that the recent high profile security breaches of HSBC, AmericaOnline, LexisNexus, ChoicePoint etc are making company boards sit up and take notice.

Of course, educating company management about security is one thing, but the struggle most IT managers and CSO's have today is educating users in an attempt to get security policy compliance. An annual study by the Computing Technology Association (CompTIA) has revealed that although IT security breaches due to human error remain high at 80%, organisations are doing little to educate staff to prevent future occurrences.

Of course, risks cannot be eliminated completely, but clearly communicated acceptable-use policies can do a lot to minimise the dangers. So how should firms go about educating staff?

E-learning might not be a panacea but software such as Extend's PolicyMatters, which forces staff to take a Q&A test at regular intervals, are probably the way forward.

Expect to see the use of these tools accelerate as the security stakes and legislation become more pronounced. It may not be long before locking staff out of the network if they fail to pass the test will be deployed as a very good way of getting the attention of even the most blasé of employees.
Rate this post: (Provided by NewsGator)

Monday, May 16, 2005

Microsoft announces OneCare security bundle

In further affirmation of the convergence of security into networks and systems, Microsoft Corp. is readying a new consumer security product that offers virus and spyware protection, a new firewall and several tuneup tools for Windows PCs, a move that pits the company squarely against traditional security software vendors.
The product, dubbed Windows OneCare, will be tested internally at Microsoft starting this week, with a beta version scheduled to be available by year's end, Microsoft said in a statement yesterday. The final product will be offered as a subscription service, it said.

OneCare marks Microsoft's long-anticipated entry into the antivirus market, until now the domain of specialized vendors such as Symantec Corp., McAfee Inc. and Trend Micro Inc. Microsoft announced its intent to offer antivirus products two years ago when it bought Romanian antivirus software developer GeCAD Software SRL.

But OneCare will do more than guard against viruses and worms. The product will also include spyware protection and a new firewall that scans incoming and outgoing traffic. The firewall now included in Windows scans only incoming traffic.
Rate this post: (Provided by NewsGator)

Cars safe from viruses...for now

And now for something completely different! After the recent fuss about mobile phone viruses and Toyota Lexus bluetooth exploits, someone had to go out there to try and test the theory.

After exhaustive testing Finnish security firm F-Secure has failed to make a virus leap from a mobile phone handset to a car's onboard communications system.

Many security firms fear that the increasing number of computers and communications system on cars will eventually make them vulnerable to the viruses that plague desktop machines. In January this year stories began circulating that some models of Lexus Landcruiser, particularly the LX470 and LS430, were vulnerable to phone viruses that travel via the Bluetooth short-range radio system.
Rate this post: (Provided by NewsGator)

Spyware takes pole position

Spyware has overtaken Spam as a top concern for IT managers. A recent posting on this blog discussed the $2Bn Spyware and Adware issue.

A question that begs answering is "What desktop products are the best for addressing this?" Whilst it is understood that integrated approaches to spyware through appliances is likely to overtake the desktop client-only solution in the future, the fact of the matter is that desktop client software is where these tool are being deployed now.

After having returned from my recent US trip with a spyware infected laptop from the local hotel wireless link (and yes I had the corporate McAfee 8.0i activated!) I realised that this was a serious issue to my personal security and productivity and did some research to see what Spyware software I should load onto my PC (as clearly McAfee wasn't doing the job).

A recent comparison done in "What Laptop?" magazine showed some shocking information that in fact the heavyweights such as McAfee and Symantec's products faired very poorly whereas top spot went to Microsofts AntiSpyware Beta (using the Giant engine) and Sunbelt Software Counterspy (also using the Giant engine) and then Webroot Spysweeper, who all detected 85% plus of all the Adware and Spyware thrown at them in the tests. McAfee scraped up a 30% detection only and some other big names mustered a 10% detection rate.

I downloaded the Microsoft Beta and the installation went without a hitch. The initial scan found and removed the three programs that were proving impossible for me to remove from my laptop and after a month I cannot say that I have had any complaints.
Rate this post: (Provided by NewsGator)

Rasing your security bar

Here is a nicely written article with a lot of common sense suggestions for frustrated security proffessionals as to how to get security embedded in their organisation.

There's a tendency sometimes to assume a "security by obscurity" posture and forget or minimize perceived risk. Why? Well, for a number of reasons:
  1. Security isn't a priority: With deadlines and commitments, who has time to think about security?
  2. Neglect: We haven't had a problem up to now, so we shouldn't have one in the future.
  3. Culture: The boss doesn't care; why should I?
  4. False sense of security: We're using Windows and keeping upgraded; it works at home, so what's the problem?
  5. The unknown: Not sure of what we've got and how it works, but since it works, don't mess with it.

The list can go on and on. These are the things that keep CIOs and security managers awake at night. Combined with the lack of awareness by the CEO, the board or other executive officers, building a budget case that includes risk mitigation (let alone justifying it) is extremely difficult. Oh, and by the way, these are clear signs that IT is marginalized in your organization.

All is not lost. This article contains a list of activities that, if used effectively, can assist security personnel in turning things around and begin getting security woven into the fabric of the organization

Rate this post: (Provided by NewsGator)

Security Tools Not Enough, Say Execs

After what seemed forever, the execs are finally realising that security is more than about products.

"Installing more technology doesn't solve the entire problem of protecting corporate data", users said in the wake of recent security incidents at Polo Ralph Lauren and other companies. "User awareness, training and risk-mitigation efforts are also vital", they noted.

"Technological breakdowns are rarely the source of the breach," said Tim O'Pry, chief technology officer at The Henssler Financial Group in Marietta, Ga. "More often than not, it's good old-fashioned human frailties."

Addressing that issue often requires companies to increase their investments in user awareness, training and education, said Matt Kesner, CTO at Fenwick & West LLP, a law firm in Mountain View, Calif. Security managers "pay lip service to the issue but don't do a good job of training our users and employees," Kesner said. "A lot of people, even in senior positions, aren't aware of the threat every time you attach a computer to the Internet."
Rate this post: (Provided by NewsGator)

Mobile Device Security Neglect

In a re-affirmation of what we all probably already suspected, enterprises are totally unprepared for the securing of mobile PDA's

Most corporate users are unprepared for mobile device security, and even those that have policies to deal with the issue don't do enough, said a Sprint official who spoke at this week's Wireless Security Conference.
Rate this post: (Provided by NewsGator)

End-point integrity Security is hotting up

In a move that further adds to the momentum of adaptive security architectures and self-defending networks, The Trusted Computing Group (TCG), whose promoters include IBM, Microsoft Corp. and Intel Corp., has released details of a new Trusted Network Connect (TNC) architectural standard for authenticating and enforcing security polices on client devices that connect to corporate networks.

This joins Cisco's Network Admission Control (NAC) Identity Based Security model (IBSM) and Dimension Data's Adaptive Secure Infrastructure (ASI), and more architectures are probably likely to follow. The main difference is that TNC is being designed to work in a multivendor networking environment, whereas Cisco's NAC works only with its own network technology.

The enforcement of the integrity of end-points is becoming a popular approach among industry giants to solve the security issues of the day, and will allow IT managers to set rules to deny, permit, quarantine or restrict network access depending on the security status and identityt of a user's PC, laptop or handheld device.
Rate this post: (Provided by NewsGator)

AT&T to drop third-party security for its own software

I had to double check the date on this article to ensure it was not April 1st!

Can you believe this - AT&T publicily stating that they are throwing out all their firewalls, IDSes etc because they are confident that the 350 people they have developing security software for their network can do a better job. Looking ahead, AT&T will rely on custom-built software to protect the global backbone network used by its customers.

"We'll put our own software directly into the network," said Eslambolchi, who also is AT&T's chief technology officer. The outside technology targeted for elimination includes firewalls, intrusion-detection systems, tools for protecting against denial-of-service attacks and even e-mail spam filtering products.

Now I know security is converging into the network, but AT&T must have big ganoonies to go public on this one and state that they dont need the wares of Cisco, Checkpoint, Juniper etc.
Rate this post: (Provided by NewsGator)

Lurking Liabilities in Security Law

This is an article that could provoke some food for thought among CIO's with regard to the evolving landscape of legal liabilitites as it relates to security.

CIOs have a new name to know: Zubulake. And if they don't, they could be heading for trouble. Zubulake is shorthand for the case of Zubulake v. UBS Warburg LLC, which was heard recently in a federal court in New York. The court's decisions in that case established new standards for retaining electronic data. "The courts are increasingly depending on companies and their lawyers to produce electronic evidence and to make sure it's not destroyed," says Adam Rosman, a lawyer at Zuckerman Spader LLP in Washington. "It was an obligation that didn't previously exist."

The article lists 5 regulatory impacting security issues that are eluding CIO's at the moment:

  1. A threat of legal or regulatory action
  2. Security threats from employees
  3. Corporate relationships with third-party service providers
  4. Changes in best practices
  5. Double-edged audits
Rate this post: (Provided by NewsGator)

A culture of security

Attorneys and other legal experts caution that the best defense against being caught unaware on security law is to hard-wire security into the culture of your company. Here are six ways to work toward that end:
  1. Advocate for a security committee at the board of directors level.
  2. Adequately fund budgets for security-related initiatives.
  3. Educate employees that security begins at their own desks.
  4. Incorporate security into system design.
  5. Appoint an IT risk assessment officer to consider scenarios and responses.
  6. Form new internal partnerships among IT, business and legal departments to collaborate on security.

Source : www.computerworld.com

Rate this post: (Provided by NewsGator)

Friday, May 13, 2005

900,000 Telewest customers blacklisted

More than 900 000 customers of UK Internet service provider Telewest have been blacklisted by one of the most powerful anti-spam groups on the Web.

According to News.com, the Spam Prevention Early Warning System (SPEWS), whose blacklist is referenced by many anti-spam controls, imposed the block in response to the high number of Telewest customers whose machines have become compromised and taken over for the purpose of sending spam. Last month, Silicon.com revealed that some of Telewest's Blueyonder.co.uk home subscribers were sending hundreds of thousands of e-mails each day – a sure sign of an open relay that is pumping out spam.

However, a Telewest representative says the company believes SPEWS' actions have been "a little heavy-handed".
Rate this post: (Provided by NewsGator)

Best you patch your Cisco IOS now

Once seen as an isolated event, last year's breach of networking giant Cisco Systems Inc.'s network now appears to be part of a much larger operation that could eventually result in the disruption of networks worldwide.

Industry observers disagree on the significance of the security breach, but they do believe it should serve as a wake-up call for businesses that have delayed the implementation of IOS-related patches.

Daniel Golding, a senior analyst with Midvale, Utah-based Burton Group, said organizations must immediately apply any relevant security fixes because the stolen code could be used to exploit unpatched Cisco networks.

Rate this post: (Provided by NewsGator)

Spyware and Adware a $2Bn business

Some experts say that spyware and adware programs generate between $500 million and $2 billion per year in revenue for advertising middlemen. That’s not surprising if one considers than some of the largest companies are, perhaps unwittingly, paying for ads served through spyware. A story by the Los Angeles Times dives in detail into the spyware game. In short, a large company hands over money to an ad agency to develop its online ad strategy. The ad agency then turns to advertising networks and their affiliates to serve the ads to Web surfers. Along the way, the ad networks and the affiliates get a cut of the ad spending based on user behavior (rates are based on whether or not the user views the ad, clicks on it or makes a purchase through the ad). As the Times points out, the more clicks, the more money to the ad networks and their affiliates. In order to take advantage of this model, some companies use holes in browser security to install programs that will continuously serve ads to users. Big-name companies get caught up in this when their ads are the ones popping up, thus supporting the practice. The Times singles out companies such as FindWhat, Claria (and Yahoo by association), Intermix Media, 180Solutions, WhenU.com and DirectRevenue as companies whose practices have been called into question. Said Joe Stewart, a security researcher for Lurhq Corp., "Before long, [users] will start to think the Internet is supposed to have pop-up ads on every page."
Rate this post: (Provided by NewsGator)

Microsoft Makes First Move into Consumer Security

In what is likely to be a pre-cursor to its entrance into enterprise security, the software giant plans to roll out an internal beta of its new security service—dubbed Windows OneCare—to employees next week, the first official step in an ambitious plan to bundle anti-virus, anti-spyware, firewall protection and PC cleanup tools to Windows users.In the summer, Microsoft will expand the test to consumers in a "private, invite-only manner," and a full-scale rollout won't be ready until the end of the year.
Rate this post: (Provided by NewsGator)

First mobile phone virus site launched

The Commwarior.a virus, which has been the subject of the worlds press for the last few weeks, is capable of sending itself to other handsets using MMS technology. This means that the virus can spread at a great rate and has the potential to go global very quickly.Technology experts around the globe believe that it is only a matter of time before a major outbreak occurs with the potential to inconvenience hundreds of thousands of phone users. The symptoms of an attack could be multiple - from sending undetected premium rate text messages, to total loss of the handset data.

Now finally, a new website has been launched on the Internet to keep phone users up to date with the latest developments. http://mobilephonevirus.com/ is currently the only site on the Internet to focus solely on the risks phone viruses can pose.

Founder, Sam Blakeman, said, “I read an article about the potential problems a virus could cause if it got into the mobile phone network. When I tried to find out more information I discovered that there was little available.” With that mobilephonevirus.com was created.He added, “We aim to provide our visitors with the latest news and also offer a free alert service so users can be informed immediately of any outbreak, together with information on what they can do to protect themselves. Whilst the current risk is small, it’s only a matter of time before phone viruses become a real problem. We hope that by keeping people informed we can minimise the effect that any outbreak will have.”
Rate this post: (Provided by NewsGator)

Why 3million pick the Blackberry

Blackberry - the handheld e-mail device that has become a badge of honour in executive circles - has hooked its three millionth subscriber.

Corporates like Blackberries because users are restricted to what they can do on the device, which is good for support and security. There is a developing market for corporate smart phones which can be "locked-down" and tightly integrated with a companies secure network.

Rate this post: (Provided by NewsGator)

Tuesday, May 10, 2005

Enterprises take sloppy approach to logging

If a new report from the SANS Institute is any indication, enterprises are jeopardizing security by taking a sloppy approach to log keeping.

As a result, the report recommends some companies abandon home-grown logging systems in favor of commercial tools or simply outsource the task. "If you go into a room full of IT managers and ask how many are working on home-grown log solutions, half the room will raise their hands," the report (not surprisingly) states. "Why is that bad? Because the guy who writes it leaves and doesn't document what he did or leave instructions behind. Then the person who takes over can't figure out how to interpret the logs or what to do if there's a problem."

Security experts have long advised that a clear audit trail is necessary to track suspicious network activity and quickly respond to security incidents. The report agreed, and said companies that decide to take it seriously should "buy a commercial tool and pray that it works" or "get help from a MSSP."

Rate this post: (Provided by NewsGator)

Phishing is Yesterday’s News – Get Ready for Pharming

From today’s perspective, phishing attacks seem simpler and much less of a threat than the new breed of on-line attacks that are now being experienced. Phishing attacks, while adopting the persona of known on-line organizations, are easy to identify and can be shut down relatively quickly. Interestingly enough, organized crime has taken over perpetration of these attacks and their sophistication has increased significantly. Today, users face much more insidious forms of attack that are more difficult to detect and defend against.

This new breed of attack is commonly referred to as "pharming." Instead of simply tricking the user to respond to a bogus e-mail which directs them to a counterfeit web site, pharming uses much more subtle ways to trick the user in to surrendering their identity and sensitive information. These attacks use Trojan Horses to install keystroke readers and redirectors that allow an attacker to capture passwords and credit card numbers without the user having to do anything out of the ordinary.

Rate this post: (Provided by NewsGator)

Recent high profile tape-thefts

The recent spate of revelations from companies that backup tapes containing over 2 million customer details have been lost has pointed out the fact that organizations may need to reconsider their backup policies and procedures.
One poll of 400 companies found that more than 60% do not encrypt any of their backup data and that just 7% encrypt all their backup data. Another problem is that the job of making backup tapes tends to fall to those ranking low on the IT department scale of importance, which increases the possibility that they could be bribed.

Rate this post: (Provided by NewsGator)

Cisco and Juniper joust over security blueprints

A smaller venue and larger turnout last week helped infuse Interop 2005 with long-absent excitement about the network industry. The conference featured keynote addresses on back-to-back days by Cisco CEO John Chambers and his counterpart at rival Juniper. They laid out distinct paths users can choose when building secure, wired and wireless corporate networks: one-stop-shop vs. multi-vendor.

Rate this post: (Provided by NewsGator)

Executive guide to Compliance

Now here is an excellent 4-chapter ebook, which although sponsored by Alterpoint , was written independantly through http://www.realtimepublishers.com

It is entirely vendor independant and offers customers, who are typically in the dark on these issues some excellent insight. What I really liked about it is that it sketches everything in terms of networking and security examples.

I am sure it may be worth reading ourselves, to understand our customers challenges

Rate this post: (Provided by NewsGator)

Thirty-Two Instant Messaging Rules

I found this really interesting article that highlighted a number of legal issues with regard to the use of IM that I was not aware of. I know many customers are not taking these legal risks into consideration.

Consider this scenario: You have your whole staff assembled for a planning meeting. People have their laptops and Blackberries to take notes and respond to urgent e-mails. Two employees in the back of the room are sending each other instant messages to keep from nodding off. One sends an off-hand comment to the other about the department's young new intern. Although no one else in the room is aware of this private conversation, it could present significant problems to the company some day. The mere fact that this electronic conversation took place using company resources - the computers and communication network - makes this an official company record. What's more, if the day ever came when the intern sues the company over sexual harassment issues, the company could be required to produce a record of that flippant remark that was never intended to go beyond the two guys in the back of the room. Those couple of words, sent "instantly" from one person to another, could be a smoking gun.

Thirty-Two Instant Messaging Rules: Best Practices to Keep You in Business and Out of Court http://www.epolicyinstitute.com/imr/32rules.pdf
Rate this post: (Provided by NewsGator)

Juniper copycats Cisco

Hot on the heels of the recent launch of Cisco's all-in-one Adaptive Security Appliance , Juniper is adding intrusion detection to one of its firewall/VPN devices and revamping its line of stand-alone intrusion-detection gear, making it possible for businesses to streamline network administration by deploying fewer boxes.

It looks like Symantec called it right 2years ago that the market would gravitate to all-in-one appliances, although I think this thinking may take some time to take among customers, as I am certainly still witnessing strong "best-of-breed" buying in the market.

Rate this post: (Provided by NewsGator)

Security Players Shoot An All-In-One Trifecta

It looks like the all-in-one integrated security appliance market marches on. It will be interesting to see who wins this one, the herd of niche "best of breed players", the networking vendors who are embedding security into their gear with "all-in-one " approaches or the security players like Symantec with their all-in-one appliances. One thing is for sure, the customers wont be spoilt for choice and maybe even more confusion will reign out there...

Juniper Networks, Cisco Systems and 3Com's TippingPoint division are integrating a trifecta of security features into all-in-one appliances that give partners new ways to help cut the cost and complexity of security solutions.

Rate this post: (Provided by NewsGator)