Ten tips for mobile security

#100 You never, ever leave your credit card out where people can easily take it. So why would you leave your data unprotected and exposed? Unfortunately, many people do just that every time they use their mobile devices and laptops. The rapidly growing base of mobile users is drawing the attention of hackers, who use a variety of schemes to get at your data and personal information.

We all need to wise up and take measures to safeguard our mobile data. This article takes a look at how to be secure in some common situations that you'll likely encounter when you're on the road.

3rd CSO Interchange meets

#99 Chief Security Officers Gather at 3rd CSO Interchange in Chicago to Address Key Security Concerns.CSO Interchange provides a forum for Chief Security Officers at corporations, government agencies and other organizations to exchange ideas, discuss challenges and learn from the real-world experiences of their peers. Policy compliance, internal security threats and increased job complexity topped the list of concerns for more than 60 security executives who met yesterday.

According the survey, nearly 100% of CSOs feel they are well prepared to handle spam, worms and viruses, denial of service attacks, and hacker attacks. However, 88% feel their organizations are least prepared to handle inadvertent loss of data, social engineering and inappropriate use. In addition, 75% reported their jobs have become more difficult or substantially more difficult than they were last year.

Additional findings from the survey include:

• 64% of CSOs surveyed are more concerned about compliance this year than they were last year, and 38% report their budget for compliance solutions grew during the past year;
• 74% say their organization must comply with more than five laws and regulations;
• 68% say their security budget is less than 10% of their total IT budget;
• 83% outsource less than 10% of their security, and 40% do not outsource security processes at all;
• 70% feel they do not receive sufficient early warning for cyberattacks.

Antispyware market to rocket

#99 The corporate anti-spyware market is predicted to explode over the next four years extending to more than 540m seats in 2009, a 30-fold increase from an estimated 16m seats in 2005, according to a study by analysts the Radicati Group published this week.

Security concerns - including regulatory compliance risks posed by spyware threats - and the effect of spyware on worker productivity are driving the growth in the market. Radicati's Corporate Anti-Spyware Market, 2005-2009 report also indicates that the cost of managing spyware is quickly rising as spyware programs become increasingly devious. It reckons the administrative cost of dealing with spyware-infected computers will reach about $265 per user in 2005.

Security concerns stunt e-commerce

#98 Security concerns are eroding Internet users' confidence and having such a chilling effect on their online behavior that U.S. business-to-consumer sales will grow more slowly than expected in coming years, Gartner Inc. warned this week.

Alarmed at the startling rise in phishing attacks, spyware intrusions, virus infections and the compromising of personal data, Internet users are limiting their e-commerce activities. Consequently, Internet service providers, financial institutions, online retailers and other companies selling goods and services to consumers via the Internet must address these concerns and put safeguards in place to protect their clients.

In a similar survey done by The Conference Board more than 13% of all Internet users say they or a member of their household has already been a victim of identity theft. The survey found that nearly 70% of consumers have installed additional security software on their PCs, and 41% said they're purchasing less online -- a fact that has some pretty negative ramifications for e-tailers, including slowing the growth of e-commerce.

Avalanche of new security laws proposed

#97 We said it was going to happen - just as we were coming to terms with Sarbanex Oxley, a far-reaching new bill includes an avalanche of new rules for corporate data security and stiff penalties for information burglars.

I mentioned previously that corporations are more concerned with legal risk than the risks posed by hackers, and legislation is therefore the only way to enforce security. Thus trend for the next two years would be that major publicised breaches would lead to new laws which would drive information security spending and that legislation would become a driving force in infosec as opposed to organisations being expected to "do the right thing".

The bill represents the most aggressive--and at 91 pages, the most regulation-oriented--legislative proposal crafted so far in response to a slew of high-profile security breaches in the last few months.

India to tighten Data Security Laws

#96 The Indian prime minister has asked for changes in cybersecurity laws, after allegations of a call center data breach. I am not surprised at this reaction - the perception that data integrity is under threat in offshoring could severly dent the Indian economy if customers took flight. Obviously, all the high profile and mind boggling data thefts of the last few weeks (covered in a few previous blog entries) has left everyone jittery.

In a meeting Wednesday, Singh directed the Department of Information Technology to hasten the process of amending the Indian IT Act to ensure that any breach of secrecy and any illegal transfer of commercial or privileged information is made a punishable offense.

Singh reviewed the situation in light of the recent case of alleged sale of customer data by an Indian call center employee to an undercover reporter of British newspaper The Sun last week. Singh said the sting operation may have been directed to give Indian industry a bad name in light of its growing competitiveness.

Why bosses worry about security

#95 The Economist has published an article entitled "The Leaky Corporation" in the wake of this months spate of high profile, mind boggling security breaches.

Just as bosses and boards had finally sorted out their worst accounting and compliance troubles, and beefed up their feeble corporate governance, a new problem threatens to earn them the sort of nasty headlines that inevitably lead to heads rolling in the executive suite: data insecurity. Left, until now, to geeky, low-level IT staff to put right, and seen as a concern only of data-rich industries such as banking, telecoms and air travel, information protection is now high on the boss's agenda in businesses of every variety.

Just as there is the concept of Generally Accepted Accounting Principles (GAAP), there is now talk at some business schools that perhaps it is time for Generally Accepted Security Principles (GASP).

Top Security Mistakes to avoid

#94 As I consult and do security assessments with many customers, I am fairly accustomed to telling them what to do. However, every now and again a shrewd IT manager or CSO/CISO will ask me "What mustn't I do?". Initially I couldn't provide an answer, but after a while I understood the crazy logic. Faced with the challenge of 100 things that need doing in a security program, perhaps it does make sense to look at the things NOT to do first - maybe the list is shorter and it will help you prioritise things!

And so I started a list of top CSO/CISO mistakes that I would observe in my dealings with them in the hope of sharing it with them next time I got asked that "difficult question". The focus I adopted was the mistakes that IT depts. or heads of security programs could avoid that could be career-limiting, that I observed in my daily dealings.

I came accross the article in the heading link of this post today and really enjoyed it. It focusses on the top-7 customer mistakes, from a more technical controls and approach perspective. First it confirmed what I was observing and second, it helped me prioritise the list of things I currently already had. Thirdly, the author had spent some time describing the details behind his top 7 mistakes. This is a worthwhile read for us and customer alike.

Here is my list I use for my customers, some overlap with those mentioned in the article and combining the two lists creates a great "What NOT to do!" list of 20 things;

(NOTE: This posting has been revised and improved, go here to see revised version.)

1.“It will not happen to us” or “The problem will go away”
2.“Virus infections are just a nuisance and not a BC issue”
3.Authorizing reactive short-term fixes
4.Failing to realise the value of their information and organisational reputation
5.Failing to realise the costs of lost productivity and downtime
6.Rely primarily on Firewall and Antivirus
7.Failure to deal with the operational aspects of security
8.Failure to understand relationship of information security to the business problem
9.Assign untrained people in unorganised fashion to maintain security
10.Underestimating the costs of “catching up when the need arises”
11.“I can’t be held legally liable for lax information security”
12.Security is the IT departments problem
13.“My management are not concerned so why should I be?”

NOTE: This posting has been revised and improved, go here to see revised version

Thriving market for stolen data

#93 With all this data and identity theft going on and grabbing headlines, some of you must be wondering "Now what do the thieves actually do with all the data they steal?".

This fascinating article takes you into the underworld of stolen data peddlars and how there is a thriving online market for their stolen gains.The online trade in credit card and bank account numbers, and other consumer information, is highly structured. There are buyers and sellers, intermediaries and even service industries.

A visit to one such site, www.iaaca.com can prove fascintaing for those interested in how they operate (if it is still available, it seems to get removed and then reappears magicaly from time to time). "Want drive fast cars?" asks an advertisement in broken English atop the Web site "Want live in premium hotels? Want own beautiful girls? It's possible with dumps from ZoOmer." (a dump is a credit card number and other details stolen from some hapless soul)

Gartner latest security survey results

#92 According to results of a new survey released yesterday by Gartner, Firewalls, intrusion detection and prevention, and antivirus software are the high-priority defenses information technology (I.T.) managers are pursuing this year to combat I.T. security threats.

Organizations are more concerned about viruses and worms than any other security threat. Outside hacking (cracking), as well as identity theft and phishing also are considered significant issues. In addition to firewalls, intrusion detection and prevention, and anti-virus defenses, other spending priorities in I.T. security include patch management, strong user authentication, remote access, vulnerability assessment, user provisioning or identity management, security event correlation and reporting, spam filtering and Web-site filtering or blocking.

More than half the respondents said they preferred buying "best-of-breed" products from multiple technology providers. Multivendor suites integrated under a common framework were preferred by more than one-third of the survey participants.

Hackers target security products

#91 I have been watching the reports coming in of AV and security vendors releasing ever increasing patches for vulnerabilities in their own software, with some interest. Now, according to analysts, it would seem that as the pool of easily exploitable Windows security bugs dries up, hackers are looking for holes in security software to break into PCs.

Microsoft's Windows operating system has been a favourite target of hackers, but in a truly ironical twist, new security flaws are being discovered in security products at a faster rate than in Microsoft's products - attracting the attention of the hackers of course. Software makers should look at their security processes, and users need to get ready to patch security products. Also, buyers should ask tough security questions when buying new security products.

A case of the "fox watching the chicken coup" is perhaps developing?

Fallout predicted for credit card hack

#90 The full implications of the 40 million credit card details that were stolen in a daring hack yesterday are starting to make the surface. Security experts have warned that the recent massive cybersecurity breach could trigger a wave of phishing and virus attacks exploiting confusion around the theft.

Email users are being warned to be on the lookout for new social engineering techniques attempting to exploit the widely-publicised theft of up to 40 million credit card account details from a transaction processing firm. With a great many Discovery, MasterCard and Visa customers likely to be worried about the effect on them of the world's largest card security breach it is likely phishers will try to prey upon their uncertainty. Users may receive emails purporting to come from their credit card company asking them to enter their details and card numbers for the purposes of fraud protection or to reactivate their account. Often emails may even claim a fraud has been committed and against the backdrop of last week's data breach many users will assume that news is indeed legitimate.

Major Smartphone worm by 2007

#89 Further to previous posts on this site about mobile device security neglect and concern around this leading to the launch of the worlds first mobile phone virus site we now have major analysts warning that mobile networks need to start building malware defences into their infrastructure now to avoid a meltdown when smartphones and PDA's take off.

However they noted that companies will not have to worry about a large-scale virus outbreaks targeting their smartphones for another 18 months. However, after that, even antivirus software is unlikely to help, Gartner analysts John Pescatore and John Girard wrote in a research paper published earlier this month. The paper looks at how enterprises should prepare for the growing threat from malicious software for mobile phones and PDAs

James Turner, a security analyst at Frost & Sullivan Australia, agreed that client-based reactive antivirus protection is unlikely to provide adequate protection. "Signature-driven antivirus tools are great for hindsight, but we are at a turning point where signatures are not enough…Currently the attackers are testing their tools against the most popular antivirus products, which means the threat they release has effectively been certified against what we are running," said Turner, who believes protection should be provided on the network layer. "We need to place more emphasis on tools that detect anomalies in network traffic and behaviour." This sentiment was echoed by all the analysts interviewed.

Phishers net smaller fry

#88 We discussed in a previous posting that phishers hit 79 brands in April. As further evidence that criminals and online fraudsters have started targeting smaller victims in hopes of fooling a larger percentage of customers, Internet security firm Netcraft published an advisory warning that the number of phishing attacks aimed at smaller financial institutions has jumped significantly over the past few weeks.

While larger banks and e-commerce sites have had to deal with the problem of online e-mail scams (phishing) targeting their customers--and even supermarkets have had the dubious honor of gaining the attention of fraudsters--for smaller banks and credit unions, it's still a relatively new experience.

Storage Security market is born

#87 In the background to all the postings to this blog about ID and data theft, we focussed on how all the recent high profile incidents around data theft were leading to storage managers siting security as their top concern and an ensuing debate about data encryption.

Following this, Network Appliance Inc. today said it intends to buy start-up Decru Inc. for $272 million, giving legitimacy to a small but fast-growing market of storage security products. The move comes on the heels of many high-profile data thefts and losses in the financial services industry and other businesses that have spurred IT shops to begin deploying technology to encrypt archived data, analysts said.

The move by NetApp trumps the industry in what will likely be a rush by other vendors to either buy or create their own storage security technology, an area that has been neglected up to now. According to an analyst from Enterprise Strategy Group Inc. "Other storage companies who really have paid little attention to storage security have to take note now."

While storage security is about a $60 million market today, within two years, "you won't be able to have a conversation with a client about storage without talking about security,"

CATEGORIES: 1storage

Britain under targeted attack

#86 This is something that is likely to have some governements nervous. It would appear that advances in hacking technology are allowing mass scale theft of confidential information from governments in addition to the corporate sector we seem to spend most of our time talking about. A well-organized group of hackers has engaged in an "large scale industrial" attack designed to cull commercially and economically valuable data from vital computer networks across Britain, the government warned today.

The U.K.'s National Infrastructure Security Co-Ordination Center yesterday released a report (PDF format) disclosing that more than 300 government departments and businesses were targeted by a continuing series of e-mail attacks designed to covertly gather sensitive and economically valuable information (see story). The attacks are from Asia. "We have never seen anything like this in terms of the industrial scale of this series of attacks," NISCC Director Roger Cumming said. "This is not a few hackers sitting in their bedroom trying to steal bank account details from individuals."

Unlike with phishing and mass-mailing worms, the attackers appear to be going after specific individuals who have access to commercially or economically privileged information. The attacks involved the use of e-mails containing so-called Trojan programs or links to Web sites containing Trojan files. Once installed on a user's system, Trojans covertly run in the background and perform a variety of functions, including collecting usernames, passwords and system information; scanning of drives; and uploading of documents and data to remote computers.

Another interesting link to this story is here.

Breach exposes 40 million accounts

#85 It would seem the records keep getting broken. This has got to be the biggest (public at least) online breach in history and provide further discomfort to an already concerned public in the wake of recent high profile identity thefts.

MasterCard International on Friday said information on more than 40 million credit cards may have been stolen. Of those exposed accounts, about 13.9 million are for MasterCard-branded cards, the company said in a statement. Some 20 million Visa-branded cards may have been affected and the remaining accounts were other brands, including American Express and Discover.

The breach occurred at CardSystems Solutions in Tucson, Ariz., a third-party processor of payment data, according to a MasterCard statement. An intruder was able to use security vulnerabilities to infiltrate the CardSystems network and access the cardholder data, MasterCard said. CardSystems is one of several companies that process transactions for banks and merchants. The security breach at the company was discovered using tools that monitor for credit card fraud, MasterCard said.

Gartner magic quadrant for SIM

#84 Gartner have released their second magic quadrant for the Security Event Management Market. In a previous posting we discussed that most corporates are failing to introduce simple logging tools to monitor their security environment for breaches and to comply with legislation and accepted best practices.

The security information and event management market is driven by customers' need for better real-time awareness of external and internal threats, the need for security data analysis and reporting, and the need to monitor systems and report on security policy compliance. Primary adopters of this technology tend to be large organizations with complex IT infrastructure and dedicated IT security staff. Although many organizations have successfully deployed this technology, it remains complex to implement.

This is still a fragmented market in which no dominant vendor has emerged. The magic quadrant is faced with the same leaders as last time, some shuffling has occured in the top places but once again, no one leading or dominating vendor has emerged yet. Top players are e-Security, Intellitactics, Netforensics and ArcSight.

The summary can be found at the link embedded in this postings heading. If you have access privileges, you can sign-in to see the full report.If you do not have access, you will be able to purchase the report.

Gartners overhyped security threats

#83 Last week, senior Gartner analysts slammed the industry overhyping of threats to mobile computing devices, wireless and VOIP. They also fingered compliance fear-mongering and rumours of "superworms" as contributing to the security over-hype.

Now I follow Gartner closely, and they are usually the first to publish reports along the lines of "Time to prepare for...x" or "Get ready for...x" (replace x with latest flavour of the month threat), so this is a bit of a change of tack for them. And they were the first to warn of the threats of VOIP.

Nevertheless this has created much interesting debate, which you can view at InfoWorld and NetworkWorld

Symantec launches Worm Simulator

#82 This is something that may be quite educational to some customers.

When a new worm spreads around the world, people want to know if they are protected. How fast is it? How does it spread? A new simulation program developed by Symantec Research Labs not only has the answers, it also provides pictures. The new Symantec Worm Simulator visually demonstrates how worms spread through the Internet, and how they fare against a custom network and security policy.

To use the Worm Simulator, all users need to do is load a simulation file and click “play.” The Worm Simulator is distributed with simulations of six actual worms: MyDoom, Netsky, Sasser, Slammer, Blaster, and SoBig. Each simulation is tailored to accurately represent how the real worm spread in the wild. As entirely new worms appear in the wild, simulations of these worms can be constructed to demonstrate the worm's characteristics to users.

You can download the Worm Simulator here

Infosec tops list of CFO concerns

#81 Information security topped this year's list of concerns in the seventh annual Technology Issues for Financial Executives survey. The survey was conducted by Computer Sciences Corporation (NYSE: CSC), in association with the Financial Executives Research Foundation (FERF), the research affiliate of Financial Executives International (FEI).

For the first time, "information security" emerged as the number one concern related to technology among financial executives surveyed, replacing"prioritizing technology investments," which dropped to number two. Only one in five chief financial officers (CFOs) are "highly satisfied" with their security programs.

Quite frankly, I'm not surprised and companies are starting to recognize how vulnerable they are. They see the growing number of news articles about customer information being accessed or stolen and they wonder, "If these guys can be breached, how secure are we?"

Companies move to protect consumer data

#80 Companies responsible for handling consumer financial data are moving quickly to repair the weak links in their information-security infrastructure in the wake of high-profile losses and thefts of customer information (see previous blog entries here and here and here.)

Transaction Network Services Inc., which provides network services to payment processors, this week revealed that it's encrypting personal-account and credit-card information sent across its Synapse system, which provides payment services for merchants that use wireless devices, including taxi and limousine companies, towing services, arts and crafts shows, and mobile concession and souvenir stands.

No doubt, government legislators that have sprung into action to protect consumer identity information will further drive adoption of additional safeguards (see previous blog entries here and here).

What you should spend on security

#79 Many CIOs and chief information security officers (CISOs) are uncertain what constitutes a "normal" level of security spending in terms of a percentage of the overall IT budget. Unfortunately, security spending is often difficult to pin down because of the many aspects of security across the organization. Security costs include dedicated security hardware, software, personnel and services, but security spending is often embedded in other areas in hidden ways. For this and other reasons, it can be difficult to obtain reliable statistical information on enterprise security spending.

On 9th March, Gartner released a Strategic Analysis Report represents their best effort to assemble the most-reliable information they had on the topic of information security spending. It's their conclusion that, as a general rule, a security spending level of 3 percent to 6 percent of total IT budget should be the norm. However, there are many variables, outlined in the report, which can affect this spending range. There can be significant variances by industry. Also organizations with mature IT systems will often spend less on security; highly regulated or high-risk-visibility companies will usually spend more.Although spending levels are no real indicator of security levels, such comparisons can be used as a preliminary test to see if security is underfunded or inefficient. Anything significantly higher or lower should be subject to investigation. The summary can be found here . If you have access privileges, please sign-in to see the full report.If you do not have access, you will be able to purchase the report.

My company conducts a security assessment (The CxO Security Assessment) whereby we benchmark over 130 security best practices accross people, organisation, processes and technology. We have completed over 50 of these globally to date and the spending benchmark average we have found from this sample is 4%, with a low of 2% and a high of 6%, which seems to concur with the Gartner findings.

Railway publishes passwords in magazine

#78 This is a humorous story, that illustrates the casualness with which we treat passwords (see previous post).

Train operator Great North Eastern Railway (GNER) has inadvertently printed system passwords in a magazine available to thousands of passengers.The April/May edition of Livewire, GNER's passenger magazine, includes an article on the operator's control centre in York.The article is illustrated with a series of photographs, one of which shows mainframe and computer passwords written on a whiteboard.

The company carries 15 million passengers every year, eight million of whom are business travellers. The magazine has a circulation of more than 100,000

Password insecurity at enterprises

#77 More than two-thirds of organisations are using insecure methods to store administrative and user passwords, according to the survey from information security firm Cyber-Ark.

Some 19 per cent of IT professionals admit that IT staff and other company employees store computer passwords on post-it notes.Twenty-six per cent of firms have insufficient security in place to stop unauthorised members in the IT department from accessing administrative passwords that guard critical business systems.

Findings also reveal that many large organisations around the world are storing administrative passwords, which are the key to business systems, on pieces of paper or in filing cabinets.

I have witnessed this phenomenon in customer assessments I have been involved with. It would seem that the spate of viruses and malicious code has drawn our attention to pumping millions into extra perimeter security and we have taken our eye of the ball of good security principles of the past, like proper password management.

Bluetooth hack shocks community

#76 I suppose this was inevitable. Everyone breathed a sigh of relief when the rumors of Lexus bluetooth car kits being hacked were dispelled(see blog entry on 16th May.)

But now, two researchers - Yaniv Shaked and Avishai Wool of Tel Aviv University in Israel - have come up with an exploit which allows hackers to pair with devices without alerting their owner, even with all the bluetooth security features turned on. The approach gets around limitations of a security attack first described by Ollie Whitehouse of security firm @Stake last year. This earlier method meant an attacker needed to eavesdrop the initial connection process (pairing) between two Bluetooth devices, which only occurs infrequently.

Shaked and Wool have worked out a way to force this pairing process by masquerading as a device, already paired with a target, that has supposedly forgotten a link key used to secure communications. This initiates a fresh pairing session which a hacker can exploit to snaffle the link key and thereby establish a pairing without needed to know PIN details. Once a connection is set up, an attacker could make eavesdrop on data transmitted between a target devices and a PC or (at least potentially) take control of someone's Bluetooth device. "Once an attacker has forced two devices to pair, they can work out the link key in just 0.06 seconds on a Pentium IV-enabled computer.

Shaked and Wool are scheduled to outline their research at the MobiSys conference in Seattle this week.

Citigroup loses 3.9M identities

#75 Wow - this is sure to accelerate legislation around the handling of client information, and certainly the cause for encryption.

Citigroup is advising customers to take steps to protect their identity following the disappearance of a package containing credit information on 3.9 million of the company's CitiFinancial Branch Network Customers. The data, which contains customer names, Social Security numbers and payment history information, was stored on computer tapes being sent via UPS to a credit bureau.

I have been monitoring all the reported cases of ID theft and this looks to be the largest single event so far.

More data security laws sprout

#74 Further to the blog posted on 19th May (click here) where we predicted a rash of data protection legislation in the US:

Laws at the federal and state levels in the USA are altering the landscape for sharing and protecting sensitive customer information, just as widely publicized breaches at companies like Bank of America, ChoicePoint, DSW Shoe Warehouse, and LexisNexis have focused attention on the problem of ID theft. InformationWeek reports that several states, including Arkansas, Georgia, Montana, and North Dakota, have implemented ID-theft laws patterned after a law in California, and many other states have legislation pending. Observers say a national ID-theft-protection bill also is likely to be enacted.

Expect similar laws to reach west accross the Atlantic and east accross the Pacific in 18 months or shorter...As discussed in blog entry #51 on 30th May, it is a sad thing that we need regulation to drive corporates to do the right thing but it seems inevitable that laws and regulations will play a larger and larger role in dictating security spending.

Broadband VOIP Security Woes

#73 This is a very interesting executive insight published by Bearing Point, into the security problems that are starting to plague broadband VOIP. My company installs hundreds of large corporate VOIP networks yearly on a global basis, and we have a specific proven methodology for securing these, but it would seem that the massive uptake in public broadband VOIP has resulted in the majority of security issues being expereinced at broadband as opposed to corporate VOIP level. About 7.5 million out of 200 million US homes and offices have traded in their traditional phone lines for VoIP. But research firm Gartner predicts there could be as many as 25 million VoIP-connected homes by 2008.

Low-cost voice over Internet Protocol (VoIP) phone services now capturing the general public's imagination are indeed being targeted by online attackers, who have been known to eavesdrop on calls, deny customers access to their VoIP service and cause "clipping," or degraded service quality, on some accounts.VoIP's security problems only heighten concerns simmering since January, when a Harris Interactive poll found that 60 percent of all adults in the United States who are aware of Internet telephony but not using it believe it could be subject to security and privacy issues.

It is likely that the broadband VOIP movement is likely to define standards for Secure VOIP that will eventually be adopted at an enterprise level.

Universities have unique challenges - #72

This is an interesting article that explains why Universities and Colleges are hardest hit by security breaches, identity theft and viruses/malicious code. I have been involved with some security assessments with educational institutions and there is no doubt they have a tougher time than traditional corporates. The institutions I was involved with actually had fairly robust technogy deployments but lacked in the Risk Management and Process area - a domain where the corporates normally fare better.

From this article, it would appear as if the US institutions are having a particularly rough time in todays security wild west. The article sums up the unique challenges for educational institutions quite nicely.

Phishers hit 79 brands in April - #71

A report into April's phishing activity by the Anti-Phishing Working Group (APWG) showed that 2854 phishing sites hijacked 79 brands in April 2005.

The bulk were financial institutions but ISPs made up over 10 per cent of targets for the first time, and phishing attacks against retail companies rose sharply during the month.The research also revealed that phishers are getting smarter in their attempts to fool the public. A lot of recent phishing sites use 'hijacked' servers where the scam is located on the domain of a legitimate enterprise to which the phisher has gained remote access. This gives the scammers the advantage of having a link that leads to a legitimate domain that cannot be blacklisted.

The US still hosts more phishing sites than any other country at 26.3 per cent, but China is catching up fast at 22 per cent. The APWG report suggests that the increasing availability of broadband is driving phishing in China.

This problem just seems to be getting bigger and bigger. Actually, the more I visit the APWG web site, the more interesting the phishing topic becomes to me. Give it a try (click on this blog heading)

Executives guides to Security - #70

As compliance drives security spending and top management teams become more involved in dealing with compliance and security issues, it was inevitable that some executive guides would start appearing.

Well, Realtime Publishers has been involved in some independant authoring of these guides, sponsored by vendors, and the results have been excellent. In a previous blog on the 20th May(go to the archives to find it) , we spoke about the excellent "Executive Guide to Compliance", the first ebook published by Realtime. They have continued this success with another superb set of publications sponsored by NetIQ. As I've stated previously this is a different publishing model in that the sponsor does not have a hand in the writing of the publication, merely the funding of it and its an excellent approach to ensure unbiased subject matter without the normal vendor propaganda and product pitches.

This time they have authored a guide of 3 compliance e-books and whilst their previous Executive Guide to Compliance discussed the compliancy issues themselves, this series discusses suggested execution - so is an excellent follow-on series.

Book 1:The Executive’s Guide to Assuring Compliance

Book 2:The Executive’s Guide to Securing Assets

Book 3:The Executive’s Guide to Managing Risks

I have read these guides and I must say they are a highly recommended read, both for us as security integrators and service providers, to better understand our clients and for the clients themselves struggling with understanding the compliance issues.

McAfee's new enterprise products - #69

Early next year McAfee plans to partner with Cisco Systems to deliver an offering dubbed Policy Enforcer which will work with the McAfee's ePolicy Orchestrator and Cisco switching technology to act as a network-edge sentinel that allows access only to clients that meet security policy criteria. The system will scan PCs and wireless devices and apply security assessment technology from Foundstone, which McAfee acquired last year, to determine if a device meets security policy. Once a client device has been scanned, Policy Enforcer will quarantine the device in a secure subnetwork using a McAfee IntruShield VLAN, or the system will move the device to a remediation network that instructs the user how to cleanse the device to an acceptable level.

Also in the works is the McAfee Content Security Appliance, currently in beta and scheduled to ship in the third quarter of 2005, the appliance will provide Web and e-mail security plus prevent spyware at the network edge. As many as three versions are planned. One, a secure Internet gateway with integrated content security, will include antivirus, antispam, content/URL filtering and anti-phishing capabilities. The other two appliances, a secure Web gateway and a secure messaging gateway, address more specific Web and e-mail security. Apparently these appliances will be faster than the current hot box from Fortinet.

In addition, McAfee is slated to introduce Intrushield NG, a unified threat-management product. Due for release next spring, Intrushield NG will be a carrier-grade appliance with throughput of up to 12Gbps in its first iteration, scalable to 100Gbps. Plans call for IntruShield NG to initially offer intrusion prevention, firewall, network antivirus and antispyware functions, but later iterations could include URL filtering, content filtering, network firewall and VPN capabilities and be fast enough to sit on a service provider back end.

The state of Sarbox - #68

In an interview in the May issue of Chief Executive Magazine, James Quigley, chief executive of Deloitte & Touche, argues in defense of the Sarbanes-Oxley Act. Given his firms line of business, this may come as no surprise, but he does have some interesting comments and views to the usual questions about Sarbanes Oxley.

The Art of selling security - #67

Here is a useful article where the authors asked a group of security officers from several industries to share their advice on how to make business executives acknowledge security risks and loosen the purse strings. As dismal as your prospects may seem when you're staring at an anemic budget, all is not lost it would seem.

Getting funds for security initiatives is an expertise security pros must master to be successful. It is, after all, much better to procure funds in advance than to wait until after a security incident. Their secrets to success vary, but according to security experts two things remain constant: They demonstrate security technology in the context of regulatory priorities and construct pro-deployment cases that largely circumvent conventional ROI considerations. Some of the methods used that circumvent traditional ROI calculations make for interesting reading.

Where to for McAfee? - #66

Microsoft Corp.'s looming shadow in the security market appears to have done little to slow McAfee Inc., one of the few major pure-play vendors in the market. The company last month reported a healthy first quarter, its consumer business is booming, and Wall Street analysts appear to be bullish on the company's prospects, at least for the short term.

But moves are afoot to extend its enterprise play beyond its traditional desktop AV/FW market and there are plans to bring new risk management and network access control products to market early next year. Their aquisition of Intruvert for some $300M odd last year was a masterstroke as they have enjoyed incredible success with their flagship IntruShield IPS appliance and earlier this year it was followed by the Foundstone purchase (no prizes for guessing where the risk management play is going to come from).

The aquisition of Wireless Security yesterday also hints that they are not going to let their core consumer business flounder, and may have more than a casual eye on the SMB market.Wireless Security's technology will be bundled with McAfee's core products, including its Internet Security Suite, VirusScan and Personal Firewall. The technology will also be integrated into McAfee's Managed VirusScan, a product for small businesses.
http://news.com.com/McAfee+acquires+Wireless+Security/2100-7350_3-5729375.html?part=rss&tag=5729375&subj=news

The link in this postings top headline takes you to a very interesting interview with McAfee's President, Gene Hodges, who talks through their strategy for the Enterprise Networking security market. I think we can expect another Integrity Architecture making its arrival soon, but something tells me this one is going to be a little different - it has to be, as its getting pretty crowded out there with NAC, NAP and TNC!

Security Guide for SMB's - #65

You know, I am constantly amazed by how few people know or have heard of SANS outside the USA. Especially customers. SANS are a fantastic and dynamic resource for information.

Here is a real little gem that i picked up on their site, a "Network Security Guide for small to medium sized businesses". Its very basic, but I've been to a few SMB customers that are starting from scratch (literally, a router connected to the Internet and no firewall I kid you not) and I couldn't help thinking what a useful guide this would be for them.

If some SMB's could do the ten things mentioned in this little paper they would be 500% better off than they are today. (actually if some large enterprises could do this they would be better of as well) I liked the easy,simple language used in the document - something critical for SMBs where the IT manager is the CEO and a whole bunch of other things rolled up as well!

Public or Private IM Debate - #64

Further to blog entry #63, that made a strong statement about disconnecting from public IM, here is a debate that discusses private versus public IM in an enterprise and goes into more depth about a broad IM strategy. One camp says public IM is so prolific you cannot exclude it from your corporate strategy and the other camp says cut it off!

Did you know that IM is so pervasive in businesses that sources for this story estimate anywhere from 60 to 360 million corporate IM users in 85-90 percent of enterprises use the popular messaging technology and yet 50-70 percent of enterprises haven't established formal policies for IM use?

Youd better believe that best practices for IM are a hot topic right now!

Another very recent (today) controversial continuation of the public versus private corporate IM debate is here and is definately worth a read http://www.securitypipeline.com/164300036

The message? Just because 100M people using public IM are wrong, doesnt mean that you have to incorporate it into your corporate strategy. In other words, if everyone is jumping over the cliff like lemmings does that mean you should follow them?

Either way action is called for now, whether you choose to use public IM, private IM or a mixture of both.

Four ways to secure IM - #63

IM and P2P exploits are on the up, so further to my blog entry #55 which details why these exploits are proliferating, we now look at ways of addressing this since in many instances turning it off altogether is not an option.

This week, attackers targeted the American Online and Yahoo instant messaging services with worms. The Yahoo worm attempted to trick users into giving up their usernames and passwords. The AOL worm tried to download malicious code to the user's PC. More seriously, in April, Reuters shut down its instant messaging service due to the Kelvir IM worm, while in February, Microsoft shut down its MSN Messenger service due to vulnerabilities in its client.

This article looks in detail at four ways to protect against this namely:

1. Don't Use Consumer IM
2. User An Internal Server If Possible
3. Address the Human Element
4. Use Multiple Layers Of Protection

Expect the fortunes of companies such as BlueCoat, FaceTime, IMLogic and Akonix to look more rosy in the future...

Blue Coat Systems shares rise 20% - #62

As further indication that the Content Management security market is showing robust growth, shares of one of this markets " bellweather stocks", Blue Coat Systems Inc. rose more than 20% in late trading yesterday as the Internet appliance and security company reported its fourth-quarter profit doubled thanks to strong sales to new clients.

Content Management solutions are those rare security solutions that offer more than vanilla "security" functionality. A lot of the economic buyers look to their "performance enhancing" capabilities such as bandwidth and user productivity savings in additional to their compliance and traditional security capabilities. This makes them have an easier ROI justification. Content appliances are shipping with more and more functionality and this vendors appliance functions as a proxy/reverse-proxy server, spyware interceptor, web content AV, URL Filtering and IM and P2P security appliance.

Ciphertrust lead the market for port 25 content appliances (mail) and Bluecoat lead the port 80 (application) applaince market share.

Do you know about the Jericho Forum? - #61

This is a group you seriously ought to know about if you're involved in the security industry (if you don't already.)

Ever wondered why we suddenly have this proliferation of integrity architectures such as Cisco's NAC, Microsoft's NAP and TCG's TNC? Well, its customer driven and The Jericho Forum is an international forum of influential IT customer and vendor organisations who recognize that over the next few years, as technology and business continue to align closer to an open, Internet-driven world, the current security mechanisms that protect business information will not scale to meet the increasing volumes of transactions and data of the future. Their influence on this proliferation and evolvement of client integrity and admission controlled architectures is not to be underestimated.

In 2002, Royal Mail established an informal network of interested organisations to explore the potential to develop common security architectures to support de-perimeterised business-to-business networking. The need for such standards has been growing for many years as organisations seek to exploit the business potential of the Internet, while at the same time tackling the increasing problem of the 'disappearing perimeter'. In this regard, de-perimeterisation is the goal; re-perimeterisation is the progression towards reaching the goal.

The Jericho Forum's Vision, Mission, and roadmap, are described in a Visioning White Paper (http://www.opengroup.org/jericho/doc.tpl?CALLER=documents.tpl&gdid=6809) which is publicly available - it is a highly recommended read if you are interested in how security architectures will rapidly evolve over the next two years. After reading the paper you will be astounded how closely it maps to what NAC and NAP and TNC are promising.

Easy alternative to 802.1x? - #60

This certainly made for interesting reading. Up until now, the bulk of customers that I am engaged with have to use 802.1x authentication when trying to secure access to their networks and authorise physical connections to the network. Cisco's NAC primarily relies on 802.1x as well. 802.1x implementations are non-trivial, however someone has found an innovative alternative.

Automated IP address management has been used for years to streamline the administration of IP addresses, but one small company and a couple of its customers have discovered a new use for the tool: to create an extra layer of endpoint security and access control. NAC, NAP and the TNC Architectures discussed in a previous blog all rely on having to check and authorise devices at connect time before allowing access to the network.

MetaInfo, a spinoff of Check Point Software Technologies Ltd., is working with customers and partners to use the point at which users are given access to the corporate network—the IP address assignment—as a mechanism to stop and "frisk" the machine. This lets the company ensure that the device is legitimate and complies with corporate security policies, according to Grant Asplund, president and CEO of the Seattle-based company."That is where the opportunity exists to take control of the machine initially and route it to where you want to send it, inspect it and let it have access," said MetaInfo user James LoTruglio, vice president of IT for Hearst Service Center, the operational arm of Hearst Corp., in Charlotte, N.C. LoTruglio, who had been asking for such functionality for years, said he saw the potential for using DHCP (Dynamic Host Configuration Protocol) services to provide access to a secure area on the corporate network—such as a virtual LAN—and then, he said, "use a secure tool to interrogate the machine for various patch levels and the like."

The advantage of using DHCP is obviously that most corporates already have it installed. I will investigate this further so stay posted...

Data Encryption debate rages

Recent reports of high profile embarrassing data breaches, coupled with stringent data privacy regulations such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley Act, are softening long-standing reluctance by the private sector to adopt encryption technology, industry executives say.

But experts advise organizations to plan carefully before introducing encryption and warn that the technology may not even be the best way to prevent data theft. Incidents such as last week's disclosure of the theft of sensitive data on 16,500 current and former MCI Inc. employees typifies the forces driving enterprise interest in data encryption and protection tools, experts say. The data was on a laptop stolen in April from a car belonging to an MCI analyst.

But companies can't clamp encryption on top of production networks, databases and file systems without breaking business apps and slowing network traffic to a crawl, said David Friedlander, an analyst with Forrester Research Inc., in Cambridge, Mass. The trick is to apply encryption strategically and in a way that doesn't require changes to applications, employees or business partners who use the information, said Ted Julian, vice president of marketing at Application Security Inc., of New York.

Cisco 1st out the block with Integrity Architecture - #58

Microsoft Corp., Cisco Systems Inc. and the Trusted Computing Group have big plans for their competing client integrity architectures, but while the TCG and Microsoft are still finalizing their technologies, Cisco already is moving ahead with its second wave of products. Since launching its NAC (Network Admission Control) effort in June, Cisco has been steadily expanding the program. In February, Cisco added ATD (Active Threat Defense) features to NAC for traffic inspection and application security. Last month, the company released a NAC appliance called Cisco Clean Access Out-of-Band that integrates with Cisco's switching infrastructure and can detect, isolate and clean infected or vulnerable devices that attempt to access a NAC-protected network. This summer, Cisco will release software updates for its switching gear to support NAC policy compliance within LANs and WANs

Meanwhile, Microsoft's NAP (Network Access Protection) architecture is complete, but the technology is still being tested and won't see the light of day until Microsoft releases the "Longhorn" operating system in 2007.But Microsoft is hedging its bets, saying that it will integrate Longhorn with both NAC and the TCG's TNC (Trusted Network Connect) platforms. Microsoft is also working "relentlessly" with Cisco on an architecture that brings together NAC and NAP, and gives customers a choice of where to do policy enforcement "far ahead of when Longhorn ships."

At the Interop show this week, TCG will release its first specifications for building client and server plug-ins that can handle TNC integrity information. The group is moving ahead with more specs, scheduled for next quarter, including APIs that work across any network transport layer and strong authentication of TNC data using TCG's Trusted Platform Module chip.

Latest Infonetics Research

Infonetics today released their latest market research figures on the worldwide security appliance and software market which was up 5% between the last quarter of 2004 and the first quarter of 2005, and is forecast to grow 27% to $1.3 billion in the first quarter of 2006. Total annual revenue is expected to grow to $6.5 billion by 2008.

“This was a fairly quiet quarter overall, with Cisco's big jump in hardware secure router revenue clocking in as the only major event of the quarter,” said Jeff Wilson, principal analyst at Infonetics Research. “The overall network security market will grow at a 15% compound annual growth rate between 2004 and 2008.

1Q05 Market Highlights

• Cisco is the worldwide leader in revenue market share in the overall network security appliance and software market, a position they have more or less maintained since 2002
• Check Point is second in worldwide revenue share;
• Juniper is close behind in third
• Enterasys, ISS, McAfee, Nokia, Nortel, SonicWALL, and Symantec are strong second-tier players, with significant revenue market share across a number of categories
• VPN and firewall appliances and software make up the majority of revenue (78% in 1Q05), with IDS/IPS second at 14%, and gateway antivirus third at 8%
• North America accounts for 45% of network security appliances and software revenue, EMEA for 29%, Asia Pacific for 21%, and CALA for 5%