Wednesday, September 28, 2005

Cisco ratchets up self defending network

In a move that signals rapid convergence of security into the network fabric, trend-setter Cisco has moved one big, bold step closer to its Self Defending Network vision by launching key components of its Adaptive Threat Defense initiative.

The new solutions utilize existing network and security infrastructure to help protect existing business investments and include:
  1. Cisco Incident Control System (ICS);
  2. Distributed Threat Mitigation for Intrusion Prevention Systems (IPS);
  3. Enhancements to Cisco IPS and IOS software.
These extensions to the Cisco Self-Defending Network security strategy and product portfolio aim to deliver real-time threat response based on internal and external network threat intelligence.

ICS is a collaboration with Trend Micro TrendLabs who will provide Cisco ICS customers with current information on virus outbreaks and virus signatures. That information is designed to enable users to automatically configure their IPS, routers and switches to block the threats before they reach the core network assets.

DTM for IPS is designed to let users identify, manage and eliminate attacks that are locally based. The feature is part of add-ons to the Cisco Security Monitoring Analysis and Response System (CS-MARS) version 4.1. With its new product, Cisco's IPS appliance sensors detect threats, and then the Monitoring, Analysis and Response System version 4.1 distributes the information across the network to Cisco IPS-enabled routers to block the threat.

New versions of the Cisco IPS version 5.1 and Cisco IOS Software Release 12.4(4)T offer improved outbreak prevention capabilities for IPS, Routers and Switches to participate in ICS and DTM as described above.

Cisco's approach is a broad inter-related one and to deploy the benefits of Adaptive Threat Defence is non-trivial and going to require some heavy Proffessional Services, upgrades and planning on behalf of customers.

CATEGORIES: 1vendor, 1announcement, 1convergence
Rate this post: (Provided by NewsGator)

Security Facts Roundup

Rate this post: (Provided by NewsGator)

ISF 2005 Phishing Report

As we move from pranksters to pro's and organised crime gets in on the action, information security starts becoming more complex and scary.

A new report from the Information Security Forum (ISF) warns that Trojan-based attacks will take over from email phishing in the US and Europe as Trojans become more sophisticated and harder to stop. Email phishing will move away from English speaking regions to Asia, China and the Middle East, to be replaced by a surge in sophisticated and well-organised Trojan attacks.

They also highlight the increasing use of ‘moles’ placed or groomed in organisations to gain access to high-worth customers or company data.

CATEGORIES : 1ISF, 1phishing, 1report, 1crime, 1trojans,1data theft
Rate this post: (Provided by NewsGator)

Friday, September 23, 2005

EU banks pay for weak security

Web monitoring firm Websense is warning of a major phishing attack on European banks, possibly because they have weaker security. The company discovered attacks against over two dozen (that's 24) European banks over the weekend, primarily against Spanish and Italian institutions.

This is the first time that Websense has witnessed such a concerted attack against European banks. US sites like Citibank and PayPal are more usual targets. "We're seeing a move to find the weakest link," said Mark Murtagh, EMEA technical director at Websense.

"Bigger banks have made some strides in providing material to prevent phishing but some are still relying on just a user name or password."Interestingly The Netherlands rarely gets targeted because almost every bank there has two-factor authentication or uses one-time passwords."

CATEGORIES: 1europe, 1phishing, 1banking, 1passwords
Rate this post: (Provided by NewsGator)

Telcos jump into mobile security

Mobile security is on the agenda for most cell phone service providers around the world, even though customers aren't asking for it --yet. On the corporate side, the demand is already there. IT managers have understood the issue. But to the consumers, it's still more like pushing it.

It's December 2007 and you have just switched on your new mobile phone to find it has been sending thousands of unwanted photos to all your friends and colleagues, putting you in line for a $5,000 bill. Sound unlikely? Mobile phone providers want to keep it that way, and are starting to fit security software to subscribers' cell phones -- even though the threat from viruses and other rogue programs is still distant. "We wanted to be proactive.... It is still a clean field and we want to keep it that way," said Pasi Mehtonen, head of mobile services at Sonera, a Finnish unit of TeliaSonera AB, a leading Nordic telecommunications company.

Finland-based F-Secure, a mobile security firm, has won five of eight cell phone security deals that cell phone companies have announced, and it expects to generate profits from mobile business between 2006 and 2008, when it sees mobile security becoming mainstream. F-Secure has deals with Elisa, Sonera, Swisscom and Deutsche Telekom's T-Mobile unit in Germany. Orange, a unit of France Telecom, is piloting its service in Switzerland. U.S. security software maker McAfee Inc. said last month that it expects mobile-device security products to add fractionally to earnings next year and contribute more in 2007.

Research firm IDC believes the market for mobile security software will grow around 70% annually, from $70 million in 2003 to nearly $1 billion in 2008, as more people start to use e-mail and the Internet on their phones. The market for fighting viruses, worms and other malicious software on computers will still be as much as 10 times larger than the corresponding market for mobile devices, according to market research firm Research and Markets. But the number of cell phones sold is four times greater than the 200 million PCs sold annually.

Roughly 50 million advanced smart phones are already in use; smart phones provide mobile access to the Internet and e-mail. They account for only about 2% to 3% of all mobile phones in the world but are the fastest-growing part of the market, according to research firm Gartner inc., with annual sales expected to reach 200 million units in 2008.

Three out of four smart phones run on the Symbian operating system, making it the virus-writers' target of choice. Indeed, 81 out of the 83 mobile viruses so far recorded have targeted Symbian, according to F-Secure.

CATEGORIES: 1mobility, 1phones, 1telcos, 1research, 1idc,1threats
Rate this post: (Provided by NewsGator)

Mobile virus jumps to PC's

The news on mobile phone viruses has been stepping up over the last few months. The volume of mobile-device malicious software has been rising rapidly, with 83 different viruses emerging within just a 14-month period. Among the threats were the Fontal.A Trojan horse in April, the CommWarrior Trojan and the infamous Cabir virus.

Now the first ever instance of these viruses jumping from phones to your PC have been reported in this article . After some thought, this had me concerned. What if a virus/spyware on your PC could jump to your phone or PDA? To my mind, phones and PDA's are always connected to your PC to synchronise contacts and calenders, so this should not be such a major feat. But imagine the consequences. If I was a virus writer I wouldnt be bothering with bluetooth replication etc. I would use the gazzilion already-infected PC's out there as my launch platform for infecting phones.

Guaranteed within 6 months we will see this happening...

CATEGORIES:1mobility, 1virus, 1phones
Rate this post: (Provided by NewsGator)

Thursday, September 22, 2005

Ozz ices data protection laws

In a controversial move that has dissapointed the Australian security community, Australia will not follow the lead of the US by introducing stiffer data protection laws to safeguard sensitive information held by companies despite compelling recent evidence of a thriving black market trade in the personal data of Australians. According to information obtained from the office of the Attorney General, no new laws will be considered in Australia to force companies to disclose details of a breach of data security that could expose personal information to either the general or criminal populations.

In December, the US state of New York will bring into force strict new laws governing data security breaches. The laws will directly force state-based and interstate companies to disclose virtually all data breaches, no matter how small the companies deem the risk to consumers - and will usurp current California breach notification laws as a national benchmark. However, despite two high-profile cases that have seen thousands of Australians forced to replace personal items ranging from credit cards to passports, Attorney General Philip Ruddock is maintaining the existing Privacy Act, which carries no criminal sanctions, is strong enough to compel companies to keep their data safe from theft.

Despite the obvious loophole that allows Australian companies to legally hide their exposure to data theft, Curtis says companies should do the right thing and come clean to customers in the event they are compromised.

Yeah, right I've heard that one before...

CATEGORIES : 1legal, 1australia, 1data privacy, 1laws
Rate this post: (Provided by NewsGator)

Wednesday, September 21, 2005

Symantec peer-2-peer survey

It resembles "earnings season" this month with all the various security related survey results coming out.

Symantec’s second Peer-to-Peer survey focused on security strategy, sampling the issues, priorities and plans of IT specialists, managers and executives at mid- to large enterprises worldwide. The sample, covering a broad range of industries and professional roles, identified traditional security concerns including unauthorized access and malicious code as still the most significant issues. But it flagged online fraud by professional criminals as the fastest-growing threat, and one against which protections continue to be inadequate through the near future. In their own work, these security professionals emphasize a broad range of protections, with incident-response and risk-assessment strategies key priorities. The group sees security appliances as a "breakout" security technology, expects improvements in mobile security solutions, and is skeptical of educational and cooperative initiatives. Budget issues stand out among today’s barriers to better security, but many see shortages of skilled personnel overtaking them as limits to security improvement.

Click on the link title or here to download the PDF report.

CATEGORIES: 1survey, 1vendor, 1users, 1strategy, 1concerns, 1forum
Rate this post: (Provided by NewsGator)

IM marches on relentlessly

Osterman Research have just wrapped up their twice-yearly tracking survey of instant messaging (IM) in the workplace. The results are not particularly stunning, but they reflect the maturation of the IM market and its continued growth, despite all the security risks.

Here are some of the results from the research:

  • 26% of e-mail users in the workplace use IM on a regular basis while at work, up slightly from 24% as found in the March survey. This figure continues to creep up consistently as new users realize the benefits of using IM in the workplace.
  • 52% of organizations are using IM for real-world business applications, identical to what we found in our last survey. While this figure is impressive given that consumer IM clients dominate the use of IM in the workplace, this figure is expected to climb significantly as organizations roll out their own enterprise-grade IM systems and/or provide enterprise features to the current base of IM clients, instead of relying solely on the viral nature of IM to expand its use.
  • 2/3 of organizations are concerned or very concerned about the potential for viruses, worms and other threats to enter their networks through IM. This is the highest percentage of respondents that are this concerned since this question was added to the tracking survey last year. This concern is due, in large part, to the well-publicized nature of the growing number of IM threats that have affected IM systems - the number of IM threats so far in 2005 is dramatically higher than for all of 2004.
  • The three leading consumer IM clients - AOL Instant Messenger, MSN Messenger and Yahoo Messenger - continue to be the three leading workplace IM clients. Lotus Instant Messaging and Web Conferencing (Sametime) continues as the leading enterprise IM system in use, although Microsoft Live Communication Server continues to increase its penetration. Surprisingly, Google Talk is already present in a significant percentage of the organizations surveyed, despite the fact that it was introduced only recently.

Here are some previous blog postings on IM : IM users soar to 867 million, IM Security in a mess!, Four ways to secure IM, Public or private IM debate, Thirty two IM rules and IM in the firing line.

CATEGORIES: 1research, 1survey, 1IM, 1users, 1stats

Rate this post: (Provided by NewsGator)

Tuesday, September 20, 2005

Virtual Patching takes off

The Zotob outbreak showed us that the exploit window is shrinking rapidly from weeks to days and confirmed suspicions that IT managers are losing the "patch race" with Windows. Patch management also consistantly shows up in the top five "headaches" and priorities for customers in many recent surveys.

Many of our customers have deployed network IPS technology in front of server farms to "buy time" during windows of vulnerability, whilst they evaluate, test and deploy patches. Some interesting alternatives to IPS are starting to surface however. An emerging category of network equipment is giving network executives more time to install security patches by keeping servers safe until full-blown fixes can be tested and installed. So far there are two approaches to the problem: software that runs on the servers being protected and an appliance that sits in front of the servers.

Determina makes the software called LiveShield (story here ) and Blue Lane makes an appliance running protective software called PatchPoint. Blue Lane Technologies Inc., a start-up in Cupertino, Calif., last week introduced a security appliance called PatchPoint, and termed a world-first "inline patch proxy", that addresses specific vulnerabilities in Windows and other products. But instead of requiring users to install software on their systems, PatchPoint sits in front of servers and mimics the full functionality of vendor-issued patches. The approach is designed to let IT staffs "hold down the fort" until they're ready to apply the actual patches. PatchPoint pricing starts at $30,500 and has already picked up some impressive customer wins, testimonials and case studies

Now if we could just find a similar approach for the client operating systems.... but seriously, one often wonders with this type of technology if clients won't start suffering from a false sense of security and slack off on their server patching altogether... I'll keep a close watch on this one and try and illicit some feedback from the IPS vendors.

UPDATE : Christopher Hoff describes some interesting testing they did of this product at his Rational Security blog. His comments are that the device works extremely well. He observes of the IPS approach to do the same thing : "Ah," you say, "but any old NIPS/HIPS/AV/Firewall can do that!" Er, not so, Sparky. The notion here is that rather than simply dump an entire session, the actual active streams are "corrected" allowing good traffic to flow while preventing "bad" traffic from getting through -- on a per flow basis. It doesn't just send a RST and that $50M wire transfer to /dev/null, it actually allows legitimate business traffic to continue unimpeded."

CATEGORIES: 1patching, 1hips, 1endpoint security, 1ips,1vendors, 1first
Rate this post: (Provided by NewsGator)

Monday, September 19, 2005

Hackers target private information

Computer hackers seeking financial gain rather than thrills or notoriety are increasingly flooding the Internet with malicious software code, according to a semi-annual report issued on Sunday. Symantec Corp.'s Internet Security Threat Report said during the first half of 2005 the number of new viruses targeting Microsoft Windows users jumped 48 percent to nearly 11,000 compared to the previous six months as hackers used new tools and a growing sophistication to create malicious code.

The latest report by the world's biggest security software maker also found that viruses exposing confidential information made up three-quarters of the top 50 viruses, worms and Trojans, up from 54 percent in the last six months of 2004.It also said an increasing amount of menacing software allowed spam to be relayed automatically from computer to computer. These so-called "Trojan" programs can download and install adware to display pop-up ads in a user's Web browser.

More so-called robot, or "bot" networks, which are created when a hacker illegally gains control of a large number of computers, are now available for sale or rent in the underworld of the Internet, Symantec said."As financial rewards increase, attackers will likely develop more sophisticated and stealthier malicious code that will attempt to disable antivirus, firewalls, and other security.

CATEGORIES: 1report, 1crime, 1botnets, 1threats, 1stats
Rate this post: (Provided by NewsGator)

Friday, September 16, 2005

Global state of InfoSec 2005

The much awaited CIO/PwC "Global State of Information Security 2005" study has been released today. This is the third annual edition of the survey—once again the largest of its kind with more than 8,200 IT and security executives responding from 63 countries on six continents. Like any other document/study referenced on this blog, this is a very worthwhile read. Customers can use the data to benchmark themselves and to glean ways to beat back the flames.

This is a lengthy and comprehensive report at CIO online, and I will try and summarise the salient points :

  • Just 37 percent of respondents reported that they had an InfoSec strategy—and only 24 percent of the rest say that creating one is in the plans for next year
  • As information security gains more status in the organization, security improves
  • The bigger the company, the more it watches its employees, and there’s a sudden and dramatic rise in companies monitoring their employees
  • The majority of information security executives range from ambivalent (at best) to downright dismissive (at worst) about the intentions, effect and pertinence of security regulations.The negative attitude toward regulation (only half of respondents believe it has increased the effectiveness of information security) indicates that they haven’t had the intended effect, at least on information security.
  • The financial services industry takes care of security better than the rest. Learn from their best practices.The financial services sector has long been presumed to practice superior information security, largely because of the preciousness of its assets (money) and the fact that its business is carried out almost entirely on IT systems
  • When it comes to malicious activity on their network, information security executives have more information than ever, but they don't know what to do with it.
  • Malicious code is the top attack type (56%) followed by unknown (26%), unauthorized entry (25%) and denial of service (21%). Top attack vectors are email (68%), known OS vulnerability (26%), abused accounts/permissions (21%), unknown (19%) and known vulnerabilities (16%)
  • The top attack sources are Hackers (63%), Employees (33%), Unknown (25%), former employees (20%) and customers (11%)
  • Over 55% of respondents don't contact anyone as a result of an attack
  • Information security is getting more money, but exactly how much and from where isn’t always clear, which is more evidence of a lack of strategic direction. The good news: The information security function can shake some money out of other departments’ pockets to supplement its own appropriations.
  • Topping next years' to-do lists are 1-disaster recovery/business continuity, 2-employee awareness programs, 3-data backup and encryption, 4-overall information security strategy, 5-more network firewalls, 6-SIM/SEM, 7-periodic audits, 8-monitoring employees, 9-monitoring log files and vulnerbailty reports, 10-spending on intellectual property protection

This is just a summary and you are recommended to read the CIO document on the supplied link as it has lots of nice graphs and tables together with all the details of the above salient points.

CATEGORIES: 1survey,1pwc,1strategy

Rate this post: (Provided by NewsGator)

Techies don't get security

Heads of information security functions are more likely to be business managers than techies in future as companies take a more strategic approach that balances IT security threats against business drivers. That's according to analyst house Gartner which predicts security will evolve into an element of a wider risk management strategy.

It reckons the days of security people blocking projects without considering the wider picture are numbered. "Business lives by risk. But the concept of 'acceptable risk' is an oxymoron to many security professionals," said Paul Proctor, research vice president with Gartner’s Information Security Group. He explained that large organisations thrive by having a developed understanding of risk, and by accepting it when it offers a business advantage.

Instead of the ability to scare budgets out of chief information security officers, a future risk management officer will be well-versed in communication and project management skills and more likely to have trained in business school than as a techie. This will leave technical staff unable to rise beyond a certain position in their company unless they get a business degree.

CATEGORIES: 1trends, 1strategy,1risk management, 1career
Rate this post: (Provided by NewsGator)

Dial VoIP for vulnerability

CIO magazine have published a really excellent and entertaining 5 page article on the in-securities of VoIP peppered with real world customer practicle examples and quotes. This is a highly recommened read, I enjoyed it and will share it with clients.

Phone service is abruptly cut off at a Wall Street brokerage after a hacker launches a full-scale denial-of-service attack, flooding the firm's voice servers with registration requests. An Internet worm makes its way from a retail giant's data network to its voice network, shutting down call centers and costing millions in lost revenue. An imposter enters the phone network of a top government agency and makes away with classified information by spoofing his caller ID. Sound far-fetched? According to security experts, such scenarios are not only plausible, they may be inevitable as companies and government agencies around the world scrap their traditional circuit-switched phone systems and move to voice over IP (VoIP).

Read it here...
Rate this post: (Provided by NewsGator)

Security increases employee productivity

According to a recent Maritz Research poll, companies looking for ways to increase employee productivity may find the answers in enhanced computer security measures.

In today’s fast-paced, high-tech work environment, employees rely on computers to perform most job functions. The latest Maritz® Poll, which surveyed IT managers in small and medium businesses, reveals the repercussions of computer viruses and other security problems, and their correlation to downtime on the job. Of those surveyed, nearly all (92 percent) reported that computer performance levels were affected by up to 50 percent due to security issues.

Some of the security issues affecting productivity include the following:

  • 75 percent of small and medium businesses were hit by at least one virus, with some affected over 100 times, in the past year.
  • 40 percent of respondents have been hit by hackers at least once, with some targeted more than 200 times, in the past year.

This is compounded by the common knowledge that virtually every computer with Internet access is assaulted with a barrage of adware, spyware and spam daily. Despite these serious security and spam issues and the obvious reduction in employee productivity some respondents still are not defending themselves against potential threats:

  • 29 percent don’t use anti-spam software.
  • 34 percent don’t use spyware software.
  • 4 percent don’t use anti-virus software.
  • 47 percent don’t use adware software.
  • 9 percent don’t have Internet firewalls.

Considering the sophistication of today’s virus attacks, small and medium businesses need to take a closer look at both their preventive and responsive IT security measures. The potential return on investment is obvious.

Rate this post: (Provided by NewsGator)

One-in-six Spyware is for ID theft

Now we know why spyware rates as a top concern for customers. A significant portion of spyware is designed specifically to steal identities, underscoring the trend toward more malicious use of such software by criminals, said security firm Aladdin Knowledge Systems.

Fifteen percent of the 2,000 known spyware threats analyzed over a two-month span sends private information gathered from the infected PC by logging keystrokes, capturing usernames and passwords, and hijacking e-mail address and contact lists.

Another 25 percent of the spyware examined gathers information non-identity information, but was classified by Aladdin as a "moderate threat" because these programs collect such data as the victim PC's operating system, domain name, process logs, security applications, IP address, and security updates installed.

The remaining 60 percent, said Aladdin, gathered "commercial-value information about the end user's browsing habits," the traditional definition of the often noxious but rarely dangerous adware.
Rate this post: (Provided by NewsGator)

IT Departments are security risk

According to a July study -- which was released Tuesday by Tokyo-based Trend Micro and based on polls of 1,200 users, 400 each in the U.S., Germany, and Japan -- 39 percent of enterprise workers believed that their company's IT department would keep them safe from viruses, worms, spyware, spam, and phishing and pharming attacks.

"What's so bad about that?" I hear you say...well read on.

That confidence, whether on the mark or misplaced, leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown or suspicious Web site links. when they have an IT department behind them to clean up their mess, the study claims. Out of those who admitted to unsafe surfing, 63 percent acknowledged they took the risk because IT had installed security software on their computers, for instance. Meanwhile, 40 percent of risk-takers admitted they did so because IT was available to provide support if problems occurred, essentially providing a backstop.

The correlation between IT’s presence, workers' security expectations, and riskier behavior shows how important it is for administrators to keep ahead of employee expectations.That may mean even greater security investments than originally planned, or more employee education. IT may need to get in front of the employees more to tell them that they have some responsibility for their actions, too.
Rate this post: (Provided by NewsGator)

VOIP provider spills 21,000 customer details

This is an incident that shows how people and simple process breaks/mistakes can cause a serious security incident and seriously dent your brand image.

Internet telephony provider Packet8 has accidentally disclosed the email addresses of 21,000 of its subscribers. The VoIP provider has more than 73,000 subscribers. The data leak occurred when an employee accidentally attached a spreadsheet containing the email addresses to the monthly Packet8 email newsletter sent last Thursday.

The firm sent an email to customers on Friday apologising for the data disclosure. Packet8 customers are likely to become the target for spamming and phishing attacks if criminals get hold of the list. Knowing that the addresses on the list are all Packet8 customers, phishers could send emails that appear to come from Packet8. The email could then fool them into disclosing confidential information by asking them to re-enter credit card information or log-in name and password.
Rate this post: (Provided by NewsGator)

Thursday, September 15, 2005

Infosec spending priorities

In May 2005, Gartner surveyed by telephone 133 U.S.-based organizations, each with revenue
exceeding $750 million.

The survey revealed the following top InfoSec technology spending priorities:

1. Firewalls
2. Intrusion Detection/Prevention
3. Antivirus
4. Network Access Control (Scan and Block)
5. Patch Management
6. Authentication

Internal security/segmentation and reperimiterisation is the likely explanantion for increased firewall spend. I have long maintained in 2004 that IPS would go mainstream in 2005 and this is borne out in the survey. Antivirus is still up there which means there are still a lot of unprotected corporate desktops out there.

Network Access control, took me by surprise at number 4. This is way higher than I expected, but very pleasing indeed. Gartner has long been predicting this market would take off and they must be equally pleased. Given Cisco's lead in this space and Symantecs aquisition of Sygate, they will be equally pleased. Infoexpress is another company that will be smiling here.

Patch management - well thats just understandable isn't it? In fact, given all the noise around passwords and SOX, authentication at #6 is no surprise either.
Rate this post: (Provided by NewsGator)

Dilbert improves security

Rate this post: (Provided by NewsGator)

Wednesday, September 14, 2005

Passwords have 2 years left

Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, according to a Gartner analyst. Gartner advises that enterprises should plan now to beat the 2007 password 'breakdown'. Passwords will reach the end of their useful life in as little as two years, forcing organisations to rethink the way they secure their corporate IT systems.

By 2007, the analyst group predicts that 80% of organisations will have reached "password breaking point" and will have to turn to more sophisticated technology to protect their systems and data. Businesses need to put a roadmap in place now that will allow them to phase out passwords and replace them with more secure two-factor authentication, said Ant Allan, research vice-president at Gartner.

Speaking at the Gartner IT Security Summit at London's Royal Lancaster Hotel this week, Allan will warn that passwords are rapidly becoming unusable as organisations attempt to stay one step ahead of hackers. By making passwords increasingly complex, and changing them with greater frequency, businesses are simply "rearranging the deckchairs on the Titanic," said Allan. The current generation of two-factor authentication devices - including smartcards, biometric readers, and one-time password tokens, which typically cost £70 a user to implement and run - will be too expensive for many organisations to deploy. Businesses are likely to turn to intermediate technologies, such as Entrust's Identity Guard, which is currently being trialled by banks and other organisations, said Allan.

But choosing the authentication mechanism is only part of the problem, said Allan. Organisations will need to invest in sign-on software to manage the passwords of legacy systems, while they migrate their systems towards two-factor authentication.

We have discussed this exact topic some time ago. See Password insecurity at enterprises, Microsoft to abandon passwords and Security industry giving wrong advice on passwords for 20 years.
Rate this post: (Provided by NewsGator)

Infosec advisory role in decline

Here is an article that makes sense - and makes you think. The days of IT security being purely an advisory role are in decline, according to Paul Dorey, vice-president for digital security at BP. Speaking to Computer Weekly ahead of his presentation on Thursday to the Gartner conference, Dorey said the dependence of business processes on IT and the digitisation of almost every physical component and process is placing digital security at the core of business integrity.

Dorey predicted that by 2010 an increasing number of IT security professionals would be legally accountable for their designs and the statements they make about the digital integrity of their organisations. Such accountability is reflected in other professions, such as the engineer who specifies the strength of steel for the bridge, the surgeon who knows when to operate and the compliance officer who confirms regulatory compliance, said Dorey. He said, "Rather than consultants one step removed, the professional will be more and more trusted as a decision maker."

I wonder when customers will expect the same from their systems integrators or security service providers...
Rate this post: (Provided by NewsGator)

Mobile email-devices a security risk

Large organisations are leaving their networks vulnerable to attack by failing to police unofficial use of mobile e-mail devices by their staff, Gartner warns this week.

Staff are often tempted to link their personal mobile devices to the work e-mail system, particularly when they see senior staff with Blackberries or similar devices. But this can create serious security holes in networks, which can allow hackers, viruses and other malware into corporate systems.

Gartner estimates that the number of mobile e-mail devices in use will grow from eight million to more than 80 million worldwide in the next three years, making wireless security a top priority for IT departments. Businesses should buy scalable mobile e-mail systems and consider offering them to a wider range of employees, rather than restricting them to a few senior executives, she said. Gartner advised IT departments to make sure that data stored on wireless devices is encrypted, and to invest in systems that can remotely block access or wipe data if devices are lost or stolen.
Rate this post: (Provided by NewsGator)

Security dominates SOX product spend

NetworkWorlds' latest Executive Guide to compliance had the following interesting information. US companies will spend $15.5Bn on compliance activities this year according to latest findings from AMR research. Sarbanes Oxley (SOX) will take $6.6Bn of this.

IT Security technology grabs the lions share of technology spend on SOX, at 26%.

Security products that stand to gain from this are:
-Security Event Management
-Authentication and ID Management
-Continuous Data Protection
-Data Leakage Protection
-Security Operations Centres
Rate this post: (Provided by NewsGator)

Gartner warns of offshore security risk

A shortage of skilled labour for Indian call centres increases the risk of fraud and identity theft, analyst firm Gartner warned in a newly published study.

India will need one million trained and qualified call centre workers by 2009, according to the Indian government, but by that time about a quarter of those positions will remain unfilled. Gartner warned that the shortfall in call centre agents will cause offshore outsourcing firms to hire fewer qualified staff and could lead to reduced due diligence. The analyst firm advised its clients to pay close attention to attrition rates and security measures, and make sure that contracts guarantee service level agreements and penalties.

Starting with the security breach at an Indian call centre two months ago, a few discussions and topical papers circulated the Internet regarding security when outsourcing offshore. Sharp focus was brought to concerns over data security in call centres and last month an ABC shock TV report revealed a thriving black market for highly sensitive, personal and financial details about Australians leaked from offshore call centers operating in India.

We can expect more focus on this area as legislation and compliance bites deeper, and customers become more aware of their exposure in off-shoring agreements and realise that they cant offshore their security responsibility. Firms that offshore IT and customer service call centre operations to countries such as India are required to treat these operations with the same data protection and regulatory process they would if they were based at home. But while they are accountable to domestic regulators there is currently little in the way of protection under Indian law. You can expect companies and governements bidding for offshore business to use the Security angle to differentiate their services in the market in the near future.

I would add to Gartners' recommendations that clients should review Government cybersecurity and privacy regulations in the countries they wish to offshore to to ensure the neccessary legal frameworks and disincentives are in place to deal with security breaches and hold those responsible accountable. India have already realised this and reacted sharply - see :India to tighten data security laws in wake of call centre breaches and Security programs for India contact centres announced and India to crack down on cybercriminals .

Those governments seeking to boost their economies through offshoring should seek to do the same to remain competitive.
Rate this post: (Provided by NewsGator)

Tuesday, September 13, 2005

Combat spyware at the gateway

Well it looks like its official: The Network World Clear Choice Test of enterprise spyware suggests the gateway approach might be the best starting point for IT managers wanting to shore up defense quickly. However the report notes that mobile laptops should also be protected with a software solution.

A gateway can filter out spyware at least as well as desktop software, based on the test of 18 products. Tester Barry Nance found gateways easier to administer than desktop machines. Plus, "users can't fool with it," as they might with their desktop software, Nance says. Analysts weighing the pros and cons of the basic strategies also point out that the cost to install a gateway in many instances is going to be low in comparison with installing anti-spyware software on the desktop.

"The gateway alternative works reasonably well to reduce the impact of spyware, is less expensive to operate and maintain than desktop mitigation, consumes fewer overall resources and is readily controlled," says a security report titled "Enterprise Strategies for Defending Against Spyware" from Burton Group.

ClearChoice awards went to McAfee for their Secure Web Gateway and Tech Assist's Omniquad AntiSpy Enterprise desktop product
Rate this post: (Provided by NewsGator)

Multifunction appliances a market gamble

There has been a lot of noise recently as various vendors release their all-in-one or multifunction security appliances. It seems that everyone from Cisco to Juniper and McAfee are on the bandwaggon. As a result this subject has become quite topical.

Multifunctional security devices are a market gamble. As to why there is not a lot of traction in the market currently for some of these appliances, this is due to a lot of complex, interelated, technical, marketing, practical and psychological factors that I can summarise as I see them in the field in my company.

First, the concept of all-in-one security appliances is not new. I cover the concept in a previous entry titled Dangers of all-in-one Security appliances. We have the benefit of some history - we can learn from both from the old Network Associates days (when the concept of being everything to everybody bombed totally) and Symantec who have been peddling their all-in-one gateway security appliances for some time now but with "limited" success in the SMB space.

Second, despite all the analyst comments over the last three years as to the benefits of all-in-one security appliances from a cost ownership and management complexity point of view, and predicitions of this market booming, the clock has been sitting on 5-minutes-to-twelve and refused to budge as customers defied this logic and opted for best-of-breed multivendor investments and multilayer defence strategies instead. From a security-purist point of view, multifunction security appliances are still being positioned by security practioners as "not good practice" in a multi-layered security approach. As technology and the market matures I am sure this will change over time however.

Third, I believe the all-in-one appliance approach is currently only accepted in the market for "mature" technologies such as AV, Anti-spam, Anti-spyware and content/URL filtering - ie the traditional "content security/proxy" market. Mixing any "emerging" or "immature" technologies such as deep-packet, IPS etc. into the appliance immediately nullifies its attractiveness to clients. From their point of view, this is new, unfamiliar , untested/unproven technology and if things go wrong they want to be able to isolate one box. Also mixing this with other traditional Firewall/VPN functionaly has been met with a mixed response

Fourth, as for Firewall and VPN, well, apart from the SMB/SME market, people either already have a best-of-breed FW/VPN they dont want to mess with (customers dont want to mess with their existing firewall setup and would prefer to buy a seperate device they can pull the plug on or blame if connections suddenly get dropped) or they still believe that the FW is the front line of defence and they prefer a robust enterprise-class purpose-built best-of-breed technology in a seperate box for this. As for VPN appliances, see Why VPN vendors are not including additional functionality in their appliances

Fifth, we need to learn from the Cisco Integrated Services Router (ISR) success. In one quarter, Cisco shipped over $1Bn of these appliances. To my mind, this is the most successful execution and market penetration ever yet achieved by any security vendor attempting to sell "multifunction" security appliances. Take two very mature technologies where Cisco is known to excel and command significant market share, namely routers and FW/VPN and stick them in one box at the branch level. Combined with the reality of de-perimiterisation and a upcoming router tech-refresh cycle and you hit the magic trifecta and ...boom...the rest is history.

So real world adoption is showing that the multifunction devices are taking off at the branch level and not the HQ/Internet perimiter level, and I believe this trend will continue as customers realise they need to "push their perimiter" deep into their branch networks and re-perimiterisation takes hold.
Rate this post: (Provided by NewsGator)

Monday, September 12, 2005

Katrina scams proliferate

A genuine Red Cross Katrina phishing sitePhishing scams traditionaly rely on clever social engineering, naivity and ignorance.

The naivity and ignorance remains, but the Asian Tsunami and Katrina Hurricane disasters have provided the first big opportunities to socially engineer around sympathy towards fellow man.

We can expect every natural and human-induced disaster to be followed by this trend in the future. Following on the success of the Asian tsunami scams, there are now some 2,300 Web sites advertising Hurricane Katrina relief services, and most of them are presumed to be bogus, the FBI said Friday. In addition, scammers are four times more prevalent than after the tsunami disaster, according to the watchdog site Scams include:
  • Phishing: In this scheme scamsters use fake Web sites that pretend to be legitimate relief organizations. If you click on the site and enter credit card or other financial information, it will be used to steal your identity. Any contributions you make go into the pockets of the scammers.
  • Viruses and trojans: Spam is sent that includes photos of disaster areas or individual survivors, and these attachments contain computer viruses. These can enable hackers to take control of your computer and obtain information that they can use for identity theft.
  • Fee-based spams: These are unsolicited e-mails that offer, for a fee, to locate missing relatives and loved ones caught in the hurricane
Rate this post: (Provided by NewsGator)

Friday, September 09, 2005

VOIP driving security market

Because of VoIP, firewalls may never be the same. New research shows that organizations underestimate the demands that enterprise VoIP security places on existing firewalls, and that those demands are altering the landscape of the firewall market.

The new findings show that the security appliance market is poised for strong growth over the next few years because businesses that have deployed Voice over Internet Protocol (VoIP) are facing difficult security challenges and 75% of them are planning to replace their current security systems within the next year.

Traditional firewall and security technologies can complicate several aspects of VoIP, most notably dynamic port trafficking, Network Address Translation (NAT) transversal, Session Initiation Protocol (SIP) and H.323. Most organizations often aren't concerned about whether their firewalls can handle VoIP traffic until after their VoIP implementations are completed or well under way. Security product vendors are only now adding functions that address voice applications in their products.

Companies commonly begin VoIP implementations with limited internal trials and they often fail to realize the breadth of the security implications that come with securely transmitting voice packets beyond the network perimeter, like the need to prevent call recording, denial-of-service attacks and other threats without degrading call quality. Or those that do falsely believe existing firewalls are capable of handing VoIP security and lack information to the contrary until they get hands-on experience.

These new findings were published by In-Stat, a high-tech market research firm, in its latest report dealing with the impact of VoIP on security appliances.

Key findings of the report include:
  • Larger, mid-sized companies (500-999) show a higher percentage of concerns about VoIP security than companies of other sizes.
  • Budgets allocated for new security appliances are significantly higher in companies that have already implemented VoIP.
  • Reliability is by far the most important criteria for the purchase of new security appliance products by businesses
Rate this post: (Provided by NewsGator)

Thursday, September 08, 2005

New Critical Cisco IOS Flaw

It is a mere 6 weeks after the Ciscogate incident and another serious IOS flaw has surfaced. Those that thought that Ciscogate was a once-off incident are going to have to rethink their positioning and I am certain that the publication of further flaws and vulnerabilities in Cisco's IOS is something we are going to have to get used to in the future.

What makes this news interesting is that for the first-time an IOS flaw has been flagged as posing a serious cyberattack risk to computer networks and the 'Net and has prompted security vendor Symantec to raise its ThreatCon global threat index to Level 2, which means an attack is expected. This is a turnaround from the Ciscogate vulnerability where the threat was pooh-poohed. So wisely, Cisco are playing it safe this time around. FrSIRT has given the vulnerabiluty a critical rating. Given the recent attention to exploits in Cisco's IOS and vows by the hacking community following the BlackHat controversy it is probable that this issue will see attempts at exploit development in the near term, according to analysts.

Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected. Also, devices configured with only Authentication Proxy for HTTP and/or HTTPS are also not affected. Only devices running certain recent versions of Cisco IOS are affected. On the surface of it, one would assume not a lot of customers are running these features or have the IOS versions that are effected so it makes one wonder why Cisco and Symantec view this so seriously.

Even though my company and myself personally have advised hundreds of customers to look at securing IOS infrastructure holistically, as they would their Microsoft operating systems and desktops, it has been amazing how this consistantly lands up at the bottom of the priority pile, and the impressions of supposed imperviousness of IOS persist. I give it another 6 months and this issue will be at the top of the pile...

We have discussed at length what is required to be done and noted that it is a non-trivial task and planning needs to be initiated now rather than when it is too late, in the following posts:
Ciscogate : Advice for customers
Ciscogate:The Lynn interview
Cisco IOS flaw saga continues
Pulled presentation spreads like wildfire
Cisco, ISS PR disaster
Cisco, ISS file for injunction at BlackHat
Cisco coverup ignites BlackHat controversy

..and two amazing predictions on this blog made before these events that were spot on the money...
13 July Hackers to target Cisco next?
13 May Best you start thinking about patching your IOS now
Rate this post: (Provided by NewsGator)

Monday, September 05, 2005

State of the CSO : 2005

For the past three years, CSO magazine has conducted its “State of the CSO" survey in an effort to define the role of the chief security officer (CSO), to understand the components of the job, the challenges, priorities, and to capture job specifics like salary and tenure.

A number of trends are emerging: The old “geeks and guards” stereotypes which may have had more than a faint ring of truth five or 10 years ago, appears to be fading away. The lines between information security and corporate security are blurring as companies combine these once very separate functions into one. And the head of security increasingly lists IT, law enforcement, the military as well as auditing and business operations in their background. Overall, there’s evidence that the influence of security executives within their organizations is on the upswing.

Managements' approach toward security also seems to be dramatically maturing according to the scorecard below :

Rate this post: (Provided by NewsGator)

Friday, September 02, 2005

CIO Tech Poll - Security

The August 2005 CIO Magazine Tech Poll shows IT spending during the next 12 months fell off last month's all time high but still remained strong. CIOs continue to express optimism and expect to increase IT budgets 7.1%.

Of the eight specific IT categories, the top 3 technologies CIOs forecast increased spending include security software (51.7%), storage systems (51.2%), and data networking equipment (42.9%).
Rate this post: (Provided by NewsGator)