Friday, October 28, 2005

Skype problems to affect enterprises

The growing popularity of Skype Technologies SA's free Internet telephony software could soon pose the same kind of security challenges for companies that other peer-to-peer (P2P) software technologies have created in recent years, according to security experts. Skype is VoIP on steroids," capable of punching holes through many of the network defenses that companies typically deploy.

Like other P2P technologies Skype allows users to establish direct connections with each other. It's also "port agile," meaning that if a firewall port is blocked Skype will look around for other open ports that it can use to establish a connection. If you put Skype behind a firewall or Network Address Translation layer, 99 times out of 100 it will work.

The warning comes after the disclosure this week of two critical flaws in Skype's software, one of which could allow malicious hackers to take complete control of compromised systems. Skype, which was recently acquired by eBay Inc. for $2.6 billion, offers downloadable software that allows PC users to make free Internet telephone calls to each other and low-cost calls to telephone users. So far, Skype has garnered more than 61 million registered users, approximately 30% of whom use it for business purposes, according to the company. Almost all of that adoption has been in Europe and Asia, though analysts expect Skype to eventually gain wide accepted in the U.S. as well.

In the meantime, business users should refrain from using "voice services based on proprietary protocols like Skype while on corporate networks because of network security issues," Gartner said in a Sept. 15 advisory.

CATEGORIES: 1VOIP, 1P2P, 1flaws, 1advisory,1disruption, 1vulnerability,1threat
Rate this post: (Provided by NewsGator)

Extortion virus stages comeback

Two new versions of a virus first reported in May are staging renewed attacks against computers in Russia, encrypting files and then extorting money from victims to decode the files. After an infection, the Russian-language instructions let victims know how many of their files have been encrypted. Translated, the warning says, "If you want to get these damn files in the decrypted format" then write to the e-mail address given. The message goes on to say, "P.S. And be thankful that they were not completely erased!"

Virus writers who seek to extort money from victims are nothing new and have been around since at least 1989. In the last couple of years, however, virus writers have moved away from writing malicious code simply to display their skills and are increasingly trying to make money.

CATEGORIES: 1virus, 1crime, 1extortion,1trends
Rate this post: (Provided by NewsGator)

Consumers shy away from Internet

New research released by Consumer Reports WebWatch finds that U.S. Internet users are cutting back on the hours they spend online, shunning e-commerce and refusing to give out personal information as a result of the rising tide of Web-based crimes related to identity theft.

According to the WebWatch report, released Wednesday, 80 percent of all American Web surfers are at least somewhat concerned about the threat of identity theft posed by engaging in online activities. As a result of those concerns, at least 30 percent of the 1,500 people interviewed for the survey said they have reduced the amount of time they access the Internet.

In addition to going online less frequently, 53 percent of the respondents told WebWatch that fears of ID theft have stopped them from giving out their personal information to Web sites and online marketers, while 25 percent said they are no longer purchasing items from e-commerce sites.

CATEGORIES: 1ID theft, 1survey, 1e-commerce, 1users, 1privacy,1crime
Rate this post: (Provided by NewsGator)

Symantec scrambles to ward of Microsoft

Symantec Corp.'s recent acquisitions of WholeSecurity Inc. and Sygate Inc. were seen as nice, complementary purchases for the security giant, but Symantec has ambitious plans for the companies' technologies that could begin an overhaul of its core product lines. In the coming months, Symantec plans to integrate behavior-based malicious-code detection from WholeSecurity and endpoint compliance technology from Sygate into the Symantec anti-virus engine. The company also plans to replace its enterprise firewall with Sygate's technology.

Symantec will use the new technology in both its consumer and enterprise products. WholeSecurity's Confidence Online client will be integrated into Symantec's anti-virus engine within the first half of next year. The company's Confidence Online for Web Applications thin-client technology will be rolled together with Sygate's On-Demand client, replacing nascent IPS (intrusion prevention system) technology that Sygate had developed with WholeSecurity's mature behavior-based IPS.

Symantec is moving quickly to add new features in an effort to stay one step ahead of competitors, including Microsoft Corp., which will soon offer its own consumer and enterprise anti-virus and anti-spyware technology, said David Friedlander, an analyst for Forrester Research Inc., in Amsterdam, Netherlands.

CATEGORIES: 1vendors, 1endpoint security, 1AV, 1admission control, 1IPS, 1aquisitions
Rate this post: (Provided by NewsGator)

ISO 27001 Standard published

After several months in final draft mode, ISO 27001 has been published as an official standard. It essentially defines an Information Security Management System and compliments the ISO 17799 'code of practice' standard. These two standards are closely aligned, but fulfill clear and distinct roles:
  • ISO 17799 details many hundreds of individual security controls, which may be selected and applied as part of the security management system.
  • ISO 27001 specifies the requirements for the security management system itself. It is this standard, as opposed to ISO 17799, against which certification is offered. ISO 27001 has also been "harmonized" to be compatible with other management standards, such as ISO 9000 and ISO 14000.
The publication of the new standard, earlier versions of which were published as BS7799-2, is likely to herald a rapid increase in interest in both information security and certification. Organizations already certified under BS7799-2 will embark on a transitional route, whereas the international status of the new certification standard is bound to have a global impact in terms of numbers following the certification route generally.The new standard is offered online via StandardsDirect (BSI) and SNV Standards Online.

CATEGORIES: 1standards, 1ISO17799, 1ISO27001, 1ISMS, 1certification,1best practices, 1first
Rate this post: (Provided by NewsGator)

Endpoint Security : Let the users grumble

The security mechanisms that protect the corporate network and enterprise applications may be well established, but for many organizations, endpoint security remains a weak point -- and a big headache. You say you haven't done anything about that headache? Then take two aspirin and get going, because the cost of doing nothing is on the rise.

Taken together, the compliance requirements for protecting data against loss, the risk to the organization of intellectual property theft, and the support challenges arising from corrupted PCs and laptops make a strong case for tighter endpoint controls.

The problem is, users don't like endpoint security controls. They will accept antivirus and antispyware agents, and they may grudgingly accept a desktop firewall. But most users will grumble about anything that restricts the flexibility and freedom that the PC has come to represent. Overcoming those objections is a challenge. So is finding the right controls.

Gene Peters is deploying port-blocking software that allows policy-based control over the end user's USB, infrared and PC Card slots. A 1GB USB disk can carry a lot of information out the door. "It's just taking the level of paranoia to the next degree," says Peters, director of information services at the Philadelphia Stock Exchange. The software, from Safend Ltd. in Tel Aviv, leverages policies set in Active Directory and can allow one type of device to connect but not another. So, how do Peters' users react to such in-your-face controls? "We've gotten some pushback, but we've worked out all the issues and pretty much gotten our way," he says.

Part of that process is getting top management's support. Another part is getting the user to understand that in a business setting, there is no "personal" in "personal computer." These are business machines. If users don't like it, they should "suck it up and deal," as my preteen at home would say

CATEGORIES: 1endpoint security, 1compliance,1mobility,1policy enforcement
Rate this post: (Provided by NewsGator)

Data Security, Encryption tops user concerns

Keeping data secure, tracking who uses it and managing it in a way that maintains backup windows and keeps information available to customers -- especially after an interruption in service or a disaster -- are among the top issues for IT executives, according to users who took part in a panel discussion yesterday at Storage Networking World.

One of the major pain points raised by users at the conference, which ends today, is around managing hundreds of terabytes to petabytes of data in a way that protects it from outside attacks and keeps it from being compromised or lost during transport.

CATEGORIES : 1secure storage, 1data at rest, 1survey, 1business continuity,1backup,1storage
Rate this post: (Provided by NewsGator)

Thursday, October 20, 2005

Top Security Mistakes to avoid Ver 2


The first time we posted this opinion piece it was one of the most popular stories read last month on this blog. Since it was posted we have collated the findings of our global CxO Security Assessment survey and are now in a position to improve and revise the list of Top customer security mistakes, this time separated into "Soft mistakes"(less obvious/subtle mistakes) and "Hard Mistakes" (more obvious and conscious mistakes.)

The story behind this list is as follows : as I consult and do security assessments with many customers, I am fairly accustomed to telling them what to do. However, every now and again a shrewd IT manager or CSO/CISO will ask me "What mustn't I do?". Initially I couldn't provide an answer, but after a while I understood the crazy logic. Faced with the challenge of 100 things that need doing in a security program, perhaps it does make sense to look at the things NOT to do first - maybe the list is shorter and it will help you priorities things!

Soft Mistakes

  1. Not having an information security strategy
  2. Failure to get executive support for your security program
  3. failure to track key security metrics
  4. Thinking that security is only a technology or IT Dept. problem
  5. Underestimating the costs of "catching up" when the need arises
  6. Thinking that you can't be held liable for lax security
  7. Equating compliance with security
  8. Failure to realize value of your information and organizational reputation
  9. Failure to understand relationship of IT to the business process
  10. Failure to consider security in outsourcing and collaboration relationships

Hard Mistakes

  1. Authorizing short term "knee jerk" fixes
  2. Assigning untrained people in unorganised fashion to maintain security
  3. Failure to recognize importance of security awareness programs
  4. Failure to realize that traditional perimeter security is dead
  5. Failure to protect laptops, PDA's and corporate home-use computers
  6. Failure to institute effective change management
  7. Failure to implement a defense-in-depth strategy
  8. Failure to learn from others' mistakes!
  9. Failure to implement a vulnerability management strategy
  10. Failure to realize that viruses, worms, spyware and Spam are a business continuity issue and not just a nuisance.

RELATED TOPICS : This article was subsequently published in a few European countries.

CATEGORIES: 1opinion piece, 1trends, 1best practices,1survey, 1users

Rate this post: (Provided by NewsGator)

Wednesday, October 19, 2005

FEATURE:Outsourcing = bad security?



This “Protection model” worked for a while, but then became increasingly powerless against viruses, Trojans, worms, application level attacks and malicious code entering the perimeter through email, file transfers, Web pages, P2P networks and VPN links. When the virus outbreaks before Blaster et al. first made their appearance, it was considered an infrequent nuisance and the outsourcer dealt with the diagnosis and mopping up excersises accordingly when requested by the client. In fact the outsourcer would start dealing with the issues automatically on subsequent occurances, even when the issues were not related to their scope of work. An example of this is a WAN or LAN network outsourcer that would inevitably have to deal with the virus issues at the endpoints as they were considered a "bandwidth or connectivity or infrastructure problem." It was never dreamt that the issues would rear their heads again or even keep getting worse. To be fair, the outsourcers were focused on service and their main aim was to resolve the issues of the day - which they did.

As corporates' networks became more complex as they connected to more partners and suppliers and made use of more contractors, the issues became more frequent. And then a strange thing happened - the outsourcer was dealing with the issues as "their issues" conducted as part of their normal business process and the client lost all visibility of the nature of the problem. They never received regular reports as to the frequency, scope and impact of the security incidents and so were ignorant to the looming issues. In fact in some cases where internet abuse and viruses were sapping WAN bandwidth, the solution was to throw more bandwidth at the problem, which probably suited many WAN outsourcers just fine as they could bill the client for the additional bandwidth.

Some outsourcers deployed IDS technology in the networks as a first proactive step. But they quickly realised that this would not scale and in the end. What accelerated the scope creep was that all the new infections and problems were originating from within their clients own trusted network or from their own trusted users. This was despite aggressive antivirus, IDS and other traditional security investments made by these organisations. Since the outsourcers were managing the networks and/or users, one can understand why the responsibilty "landed in their laps" so to speak.

To make matters worse, as part of the outsourcing contracts, the clients had scaled back their IT expertise. The fact that security was not a real issue 3-5 years ago, coupled with the loss of visibility we have mentioned, meant that there was never really a consideration to have a IT security competency within the clients staffing complement. In fact the clients' IT staffing complement gravitated to procurement and "outsourcer relationship managers".


CATEGORIES: 1feature story, 1outsourcing, 1best practices, 1trends
Rate this post: (Provided by NewsGator)

EU Infosec staff struggles

The European results for the International Information Systems Security Certification Consortium (ISC)² Global Information Security Workforce Study show that a quarter of respondents feel they spent most of their working day on "internal politics, gathering metrics to justify spending, or selling security to upper management." instead of implementing security procedures.

Although security specialists feel embroiled in politics, most think their influence is growing. 73.1 percent of respondents said their level of influence has increased over the last 12 months, and 33.4 percent felt their influence had "increased significantly."Most IT security professionals think their influence will increase in the future. 78 percent expected their influence to increase over the coming year, while 37 percent expected their influence to "increase significantly".

Out of 595 respondents, the majority were security consultants, with 29 percent IT directors or managers. 7 percent of the respondents were chief information or security officers.

CATEGORIES: 1surveys, 1study, 1stats, 1metrics
Rate this post: (Provided by NewsGator)

DDoS rife at ISP's

Companies should devote more resources to countering old-fashioned DDoS attacks when investing in security, a survey of global ISPs has argued.The figures from Arbor Networks in its Worldwide ISP Security Report came from questionnaires sent to 36 large ISPs in the US, Europe and Asia.

Over 90 percent of ISPs surveyed cited simple "brute force" TCP SYN and UDP datagram DDoS floods from zombie PC networks as their biggest day-to-day hassle, a finding which should apply equally to their corporate clients. This puts DDoS ahead of more recent attack types such as fast-spreading worms and DNS poisoning, which were ranked second and third respectively, in terms of prevalence.

Surprisingly, given the prevalence of this type of attack in recent years, only 29 percent of ISPs offered services to counter and trace DDoS in an automated way at the ISP level. The majority only discovered such events when a customer contacted them for help.

CATEGORIES:1DDoS, 1denial of service, 1survey, 1stats,1dos,1report,1zombie,1botnets
Rate this post: (Provided by NewsGator)

Spyware outnumbers viruses 2-to-1

Millions of dollars are being spent unnecessarily each month as North American businesses and consumers wrestle with what has become the biggest threat to security on the Internet. According to a study published last month, spyware issues now outnumber virus threats by more than 2 to 1. The same report said the average expenditure by large North American enterprises tops $130,000 USD per month.

That's the first time we have some solid cost numbers for spyware...

CATEGORIES: 1spyware, 1viruses, 1survey,1study,1threats
Rate this post: (Provided by NewsGator)

More NAC announcements

Viva Las Vegas! I've just completed a 32 hour epic flight from Cape Town to Las Vegas to attend the Microsoft Partner Advisory Council - and I'm bushed and minus my luggage. The joys of travel...

We have some more news on NAC. First, Cisco has extended NAC support to its range of Catalyst switches and introduced new features allowing companies to enforce security polices on users' devices. Cisco also added new partners to its NAC program and upgraded its line of NAC hardware appliances. NAC support has been extended to its wireless access points as well. Cisco now has over 60 vendors participating in the NAC initiative. The fact that Cisco has finally extended NAC support to its line of switches means that users are likely to be more interested in the technology than they were when it was only available on Cisco routers, although larger organizations and those running older Cisco hardware are also likely to need expensive upgrades of their routers and switches to be able to use NAC.

Second, Qualys, Inc., the leading provider of on demand vulnerability management and policy compliance solutions, today announced the integration of its QualysGuard on demand vulnerability management solution with the Cisco Network Admission Control (NAC) program. Until now, auditing unmanaged devices for security vulnerabilities before accessing the network was a challenge for enterprises seeking to limit damages from viruses and worms. With QualysGuard for NAC, organizations can automatically audit NAC agentless hosts attempting network connection, without any software to install or manage.

CATEGORIES: 1endpoint security, 1NAC, 1vendor announcements, 1admission control,1vulnerability management
Rate this post: (Provided by NewsGator)

Friday, October 14, 2005

Asian InfoSec in firefighting mode

While security is moving up the priority ladder of businesses, organizations are still looking at security on a piecemeal basis. Here are some insights from CSO Online on the findings of the Global State of Information Security 2005 in the geography that matters most to Asia--Asia.

No Strategy and bleeding...: 67 percent of Asian respondents suffered financial losses and 50 percent experienced intellectual property theft. Even so, most continue to be focused on tactical matters such that only 33 percent of Asian respondents have an overall security strategy and only another 22 percent plan to create a strategy within the next year.

...but trying to start at the top...: About 32 percent of Asian respondents reported that their company employs a CSO or CISO. In terms of organizational structure, 57 percent of respondents in Asia report to either the CEO or the Board of Directors while 32 percent report to the CIO.

...and not shy to spend... : Globally, security budgets, as a percentage of overall IT budget, increased from an average of 11 percent in 2004 to 13 percent in 2005. In Asia, that figure is even more encouraging, at 16 percent.

...on their top concerns... : Asian companies have indicated that potential liability (43% of respondents), legal/regulatory requirements (42%) and common industry practices (40%) are the reasons for investment in security.

..despite challenges:Despite the upbeat note, companies still cite limited budget (55%) and limited staff dedicated to security (44%) as the top two barriers to security in Asia, mirroring the rest of the world.

Priorities for 2006: In Asia, the top three process-related priorities in the area of security for next year are business continuity/disaster recovery plans (37%), active monitoring/ analysis of information security intelligence such as vulnerability reports & log files (36%), and auditing/ monitoring user compliance with security policies (33%).

CATEGORIES: 1trends, 1stats, 1asia, 1survey
Rate this post: (Provided by NewsGator)

Improvements to this site

There have been numerous improvements made to this site, some based on all the excellent and constructive feedback I have received from the readership.

Daily Email digest : You can now receive a daily digest of blog updates in addition to the monthly digest. We are using the new and excellent FeedBlits service to do this, which works off the FeedBurner RSS feeds. A dialogue box now appears in the sidebar of the site to allow you to subscribe/unsubscribe to the daily digest. Later on we will introduce functionality to allow you to set personalised filters on the content you would like to receive in this digest.

Sidebar re-arrangement : The sidebar has been rearranged to have the most popularly used sections on the top, such as the Technorati blog-search function, previous posts, opinion pieces and so forth.

Categories Archive : Blogger does not support categories, but I have found a workaround using Technorati. You will now see a CATEGORIES ARCHIVE in the sidebar that provides a listing of all archived entries according to predefined categories. To allow for more focussed and accurate category searching in the future you will note that all postings now have their associated categories listed at the bottom. The categories currently listed are just a start - I will refine them over time.

Opinions and Insight : There is a new sidebar section for "Opinion pieces and Insight". These are basically posts straight from observations and reflections of what I see in the market or with interaction with clients and are normally 100% original content. I may link to various previous postings to re-inforce ideas etc. The headings of these postings will not link to any source article.

Feature Stories : These are crafted into 3 or 5 part series of themed topics. The stories will evolve over a period of weeks depending on my time availability. The content will be original 70% of the time, but from time to time I come accross multi-part features in the press and will include them as well. Feature stories also appear in their own section in the side-bar.

BuzzBoost : BuzzBoost gives you a snippet of JavaScript you can paste into your own web-site page templates that lists the days' story headlines with 20 words of the story text. The headline is hyperlinked to the original full story on Security Wrap. The script is shown below:

Headline Animator: Create an animated GIF image that is a rotating banner and cycles through this sites five most recent items. Clicking on the story takes you to the web site for the full content. You can copy and paste JavaScript code into your web page, email signature or discussion board profile. Look below to see the sample together with the required JavaScript:

Security Wrap Team

CATEGORIES : 1housekeeping
Rate this post: (Provided by NewsGator)

Endpoint Data Protection ignored


"Endpoint Security" will be a huge focus from now on and this is borne out by findings from a recent summit I attended with some strategic customers (See Top InfoSec issues for 2006 and various other research.)

Holistic "Endpoint Security" to my mind includes :
  1. Authentication (device and/or user - passwords, 802.1x etc.)
  2. Host Security (AV, H-IPS, Personal FW, and AntiSpyware),
  3. Policy & Integrity Enforcement (Scan & Block appliances from the likes of Cisco Clean Access/Sygate or Integrity Architectures such as NAC/NAP/TNC) and
  4. Data Protection or Security (encryption, data erasure, component control).

The mobility phenomenon coupled with contractors is where the real endpoint security risk lies (mainly laptops today but PDA's and Smartphones tommorow). The problem is that laptops today are:

  • at high risk from infection (so they need Host security)
  • at high risk from infecting others (so they need their integrity checked -NAC, Sygate etc.)
  • at high risk from being lost/stolen (so they need their Data protected)
Lost or stolen laptops, Smart phones and PDA’s are a huge security risk that everyone is ignoring. Think about the data that resides on these devices. If you look at the graphic table on a previous blog entry titled Publicized security breaches to rocket you will see that data taken from the Privacy Rights Clearing house shows "Stolen Laptops or computers" as the 2nd largest root-cause of data compromise in US public disclosures since Feb this year. This should not be surprising - see Lost or stolen mobile devices are bigger risk to get an idea of what I am talking about.

To date, everyone has been ignoring the Data Security issue and focussed on the other stuff. However, I believe this is about to change, and articulate my views on why in Endpoint encryption to go mainstream. Gartner has also recently raised the red flag in Mobile email devices a security risk. Right now it would seem that only niche products (PGP, Utimaco, Safepoint and BootSec) are available for endpoint data protection that will work on PC’s, Servers, Laptops and ALSO work on PDA’s, Blackberries, and Smart phones and offer centralised management together with remote data wiping or erasure should devices be lost or stolen. Component control (Flash drives, USB sticks, iPODs etc) needs to be delivered by yet another niche vendor.

So today, no one vendor exists to do all of this. But I believe this will change as from a manageability perspective it has to. Likely candidates for complete solutions are Symantec, McAfee and CA. But that is for another story...

CATEGORIES:1opinion piece, 1trends, 1data protection, 1endpoint security, 1mobility, 1best practices
Rate this post: (Provided by NewsGator)

Thursday, October 13, 2005

Expect bigger IM attacks

IM attacks are already exploding, up a whopping 2,000% since last year. The bigger, combined Microsoft-Yahoo network will let attacks spread even further and faster.

The deal struck Wednesday by Yahoo and Microsoft to make their instant messaging (IM) networks work together in 2006 may sound great at first glance, but security experts say that the merger will make IM an even bigger target for hackers and hucksters. "98% of the stories about Yahoo and Microsoft will be about the benefits of interoperability and how the deal will eliminate the traditional hurdles in IM," said Jon Sakoda, the chief technology officer for IMlogic, an Internet security firm that specializes in defending against IM and file-sharing threats.

Instead of those silver linings, Sakoda sees some possible gray clouds on the horizon. "IM worms have generally targeted individual networks, say, only Yahoo or MSN. That's why you haven't seen a global worm that propagates to millions," he said. "There hasn't any interoperability, but this deal changes that." Christopher Dean, the senior vice president of business development at rival FaceTime, agreed. "As you increase the size of network, there's a greater chance that [malicious] things can spread. It's a bigger network effect."

CATEGORIES : 1IM, 1instant messaging,1vendors,1deal
Rate this post: (Provided by NewsGator)

1st TNC products launched

This happened faster than I thought. Funk Software has announced the first commercial Endpoint Integrity Solution based on Trusted Computing Group’s Trusted Network Connect (TNC) standards.

The standards-based approach ensures interoperability and scalability; Steel-Belted Radius/Endpoint Assurance and Odyssey 802.1x Client are compatible with security and infrastructure products from McAfee, Inc., Symantec, PatchLink, and ProCurve Networking by HP. Funk Software’s new Endpoint Assurance products are built upon the open standards developed by the Trusted Computing Group’s Trusted Network Connect (TNC) subgroup, which is dedicated to defining and promoting an open solution architecture to ensure endpoint integrity. With endpoint integrity products based on the TNC standards, enterprises can leverage existing technology and use the best-of-breed products of their choice, avoiding the restraints of a proprietary architecture.

This option joins Cisco's NAC, Cisco's Clean Access Appliances and other appliances from the likes of Sygate, as viable commercial options for customers to start rolling out endpoint integrity solutions in 2006. Maintaining network integrity is a key objective of most enterprises as they define their IT and security objectives for 2006, but most enterprises have delayed deployment until a solution demonstrating true multi-vendor compatibility became available.

CATEGORIES:1endpoint integrity, 1endpoint security, 1integrity architectures,1vendors,1first
Rate this post: (Provided by NewsGator)

Wednesday, October 12, 2005

FEATURE:Outsourcing = bad security?


Chapter 1 - The good old days
Chapter 2 - The scope creep
Chapter 3 - The rude awakening
Chapter 4 - Knee jerk reactions
Chapter 5 - False sense of security
Chapter 6 - Caveat Emptor
Chapter 7 - Making a choice

NOTE : This was turned into a 5 page feature story on ITSecurity Magazine. See here for details or to download the PDF.


I have engaged with many customers who signed outsourcing contracts between 3 and 5 years ago and have observed some common traits that are now yielding significant challenges for these customers and the outsouring suppliers alike.

When these contracts were signed, information security was not a big issue. It just was not on the radar. There was no onerous legislation, nor were there debilitating virus outbreaks, and globally destructive self-replicating worms were not even dreamt of. Spyware sounded like something from a science fiction novel, and we were not faced with a proliferation of mobile communications technologies or devices. If you told someone then that 850 million people were going to be using instant messaging and peer-to-peer protocols to drown your network with private chats and share music, movie and porn downloads, you would have dismissed them as alarmist or out of touch with reality. In those days, we could count the number of entry points into our relatively simple networks on one hand. The focus was on cost cutting, efficiency, connectivity service levels and agility. Information security was a simple equation : "Security=Firewalls + Antivirus = IT Dept"

I have personally reviewed a number of these contracts coming up for renewal and Info Security was buried among all the legalese and traditional service options as a vague one-liner, normally something to do with maintenance of firewalls and AV. In fact for all intents and purposes, information security as we know it today was OUT OF SCOPE of the contract.

The reason for this is that prior to the advent of the Internet, email and e-commerce, the closed nature of corporate networks made security a relatively easy affair. The classic security defence model revolved around defending a “trusted” internal network from the “untrusted” outside (everything else). The demarcation line between these two zones of trust was called the “perimeter”, and security products such as firewalls, VPN’s etc were implemented on the perimeter to enforce the trust differentials. A demilitarized zone (DMZ) was setup on the firewall for public facing data. This represented the “Protection” security model or the "Good old days" when "security was easy".


CATEGORIES: 1feature story, 1outsourcing, 1best practices, 1trends,1advice
Rate this post: (Provided by NewsGator)

Tuesday, October 11, 2005

Lost,stolen devices biggest risk

We saw from the Dimension Data Sun City SIG that mobility was voted as posing a significant challenge to IT security, with endpoint security being a priority to address these challenges. Contrary to popular belief, the primary security threat posed today by the surge in corporate use of mobile devices such as laptops, smartphones and PDA's is not malware, industry pros said at the Mobile Business Expo in Chicago today, but missing mobile phones and lost/stolen PDAs and laptops.

For example, during one six-month period last year, in Chicago alone, business workers lost more than 85,000 mobile devices as they stepped out of cabs. Given that about 85 percent of a company's intellectual property can be discerned through its e-mail, we can see that the loss or theft of any type of mobile device is a huge threat to organisations.

Most of the mobile device security hype has centred around viruses and worms and whilst this may indeed be the largest threat for laptops, the big issue with phones and PDA's is the email stores and other data sitting on them that can be exposed, given their higher propensity to go "missing in action". There are some 162 million mobile subscribers in the U.S. today, but only about 40 percent of organizations have a security policy for mobile applications. That's not to say that laptops are without their problems - we saw from the Privacy Rights clearing house stats that stolen laptops resulted in the 2nd largest loss of identities in the US.

RELATED TOPICS: See also Securing mobile phones, Endpoint encryption goes mainstream?, Mobile email devices a security risk and Lost PDA's pose security risk

CATEGORIES: 1mobile security, 1mobility, 1data theft, 1stats, 1best practices, 1email
Rate this post: (Provided by NewsGator)

Ciphertrust launches IM solution

I don't normally write about new product announcements unless they are a first or a game changing event. Given all the airtime I have given Instant Messaging (IM) though, I thought that this was worth blogging about.

Ciphertrust has launched the first solution that integrates policy to secure, log, monitor and encrypt enterprise IM communications in addition to enterprise email messaging. This is starting to offer a very compelling value prop for overall "Enterprise Messaging Security" - one gateway box with one set of management tools for email and IM. The launch of CipherTrust's IronIM is part of the company's ongoing strategy to provide unified security protection across multiple messaging protocols.

Enterprise IM was up until now the domain of the likes of BlueCoat or focussed IM vendors such as Facetime or IMLogic, but this brings a very different spin of things to the party.

CATEGORIES: 1IM, 1vendor, 1messaging security,1launch
Rate this post: (Provided by NewsGator)

Top InfoSec Issues for 2006

I attended the "Security & Risk Management" track of the annual Dimension Data Global Customer Special Interest Group (SIG) at The Palace of the Lost City at Sun City, South Africa last weekend, where some 16 of their influential customers from around the world convened with their executive management to discuss challenges facing IT.

The Security track yielded the following top customer issues likely to impact their information security strategies for 2006, in order of importance/impact:

  1. Privacy and Legislation
  2. Mobility and wireless
  3. Outsourcing & Collaboration
  4. Convergence
  5. Organised Crime
  6. Messaging, presence and P2P
  7. Internet useage explosion

The most likely technology category to address many burning issues currently experienced in InfoSec was "Endpoint Security" consisting of:

  1. Authentication (device and user)
  2. Integrity & compliance enforcement (scan+block)
  3. Encryption
  4. Remote data erasure (wiping)

CATEGORIES: 1survey, 1SIG, 1trends, 1endpoint security, 1users, 1privacy, 1mobility, 1outsourcing, 1convergence, 1crime, 1messaging, 1endpoint security

Rate this post: (Provided by NewsGator)

Monday, October 10, 2005

Checkpoint buys Sourcefire

Security system developer Check Point Software Technologies acquired Sourcefire, a provider of intrusion prevention and network awareness systems, for $225 million cash on Thursday as it seeks to expand beyond its core firewall and virtual private network businesses. Privately-held Sourcefire was founded in 2001 to commercialise the open-source intrusion-detection system (IDS) software but has yet to turn a profit. Sourcefire has about 140 employees. There are "current plans" for layoffs.

Check Point will keep the company's Snort technology open, they said, so that it could be used by other companies and enterprises. But they were vague about an exact roadmap for the future and merely hinted about product integration. The acquisition marks a rare decision by Check Point to buy, rather than build, its security technology.

Check Point, based in Israel, was previously slow to introduce new products and react to market changes, such as the addition of security appliances, until this past year, analysts have said. But in buying Sourcefire, Check Point may be reacting to pressure as networking giants such as Cisco Systems, 3Com (with the aquisition of Tipping Point), McAfee (enjoying success with their IntruShield IPS appliance) and Juniper Networks make heavy inroads into the IPS appliance market.

Check Point expects Sourcefire will account for 6 percent to 8 percent of its overall revenues next year.

CATEGORIES: 1aquisitions, 1intrusion prevention, 1open source,1vendor
Rate this post: (Provided by NewsGator)

AsiaPac warms to security outsourcing

SINGAPORE -- Corporations across the Asia-Pacific region are becoming more open to outsourcing the management of their IT security systems to third parties, according to speakers at the MediaConnect Asia Security Forum here last week.

During the conference, attendees said that the process of outsourcing IT security has started in mature markets such as Australia, Japan and Taiwan. As a whole, the region is catching up with other parts of the world on security outsourcing. Security demands generated by online applications such as e-commerce systems and Web services are prompting corporate users to hand off intrusion detection, firewall management and other security functions to third-party vendors

CATEGORIES: 1trends, 1outsourcing, 1management,1asia,1forum
Rate this post: (Provided by NewsGator)

Arrests & Conviction roundup

Looks like it has been a good week against the bad guys...

Jail time for UK hackers
Two men were sentenced to jail for their roles in creating the self-replicating TK worm that created a global rogue network of compromised PCs for an international hacking group.

Dutch police nab suspected bot herders
Dutch police have arrested three individuals suspected of hacking into more than 100,000 computers worldwide and using the hijacked systems in online crimes. The 3 individuals, whose names were not disclosed, allegedly commandeered the computers using malicious code known as a Trojan horse. The investigation is ongoing and more arrests are expected, prosecutors said. Investigators accuse the suspects of hacking into computers, destroying computer networks and installing adware and spyware. The suspects are also thought to have sold their services to others, writing viruses that were designed to steal login data for online banking.

Legal action against 757 file sharers
Legal action has been taken against 757 people in the US accused of using file-sharing networks to illegally share music online. The BBC reports that the total number of copyright infringement cases by the U.S. music industry is 14,800 and the Recording Industry Association says that 64 of those charged in the latest action were fans that used college networks. So far more than 14,000 people in 12 countries have faced legal action for allegedly swapping music tracks online.

Man guilty of accessing tsunami site
A computer consultant has been convicted of gaining unauthorized access to a Web site collecting donations for victims of last year's Asian tsunami, even though the judge hearing the case accepted that he meant no harm. Cuthbert, who at the time of his arrest had been employed by global banking group ABN Amro to carry out security testing, had pleaded not guilty to the charge. He was fined about $700 (400 pounds) plus about $1,050 for costs.

Government cracks down on Spyware operation
WASHINGTON - Government regulators are trying to shut down a company they say secretly downloaded spyware onto the computers of unwitting Internet users, rendering them helpless to a flood of pop-up ads, computer crashes and other annoyances.

FTC sues company over spyware
The Federal Trade Commission announced on Wednesday that it has sued a company it says secretly installed spyware and adware purporting to be peer-to-peer file sharing software. The company offered claims such as "Download music without fear," and "Don't let the record companies win," but in reality did things like rewriting search engine results and generating pop-up ads, the agency said.

Man charged in Katrina web scam
A Florida man who collected nearly $40,000 over the Web for Hurricane Katrina humanitarian relief was indicted on fraud charges Monday.

CATEGORIES: 1legal, 1convictions, 1arrests, 1indictments, 1hackers, 1crime,1fraud,1roundup
Rate this post: (Provided by NewsGator)

Symantec brings Microsoft complaint to EU

Security software vendor Symantec Corp. has complained to European Commission antitrust regulators about Microsoft Corp.'s entrance into the security business, setting the stage for a possible antitrust case against the software company. The news comes on the day Microsoft announced plans to begin offering business users an integrated antivirus and antispyware product called Microsoft Client Protection (see "Microsoft to combine virus, spyware protection"). A beta version of this product is expected to be released by year's end.

At issue in the complaint is Microsoft's plan to bundle its security software with Windows Vista, the next major version of the Windows operating system due next year.

CATEGORIES:1legal, 1antivirus, 1spyware,1vendor,1virus
Rate this post: (Provided by NewsGator)

Thursday, October 06, 2005

Attacks on messaging networks soar

The growing popularity of instant messaging among businesses and consumers has drawn the attention of malware writers looking to move beyond e-mail for new targets, according to messaging-security specialist IMlogic.

The company's threat center, which tracks instant-messaging activity, reports an eye-popping 3,295 percent hike in the number of instant-messaging and file-sharing worms in the third quarter of 2005, compared with the year-ago quarter. The year-to-date increase is 2,083 percent.

The report suggests that the increasing popularity of consumer instant-messaging networks, combined with the proliferation of enterprise-messaging systems, continues to drive messaging as a popular new medium for attacks. Adding to the problem is that the attacks against these networks are becoming more sophisticated, with 87 percent of reported incidents caused by instant-message worms that require no human intervention to spread.

CATEGORIES: 1IM, 1instant messaging, 1vendor, 1stats, 1report
Rate this post: (Provided by NewsGator)

28 million enterprise IM users

According to an IDC study of the worldwide enterprise instant messaging (EIM) applications market and leading vendors, the value, necessity, and use of instant messaging (IM) applications for business use will continue to increase at least through 2009. More than 28 million business users worldwide used enterprise instant messaging products to send nearly 1 bln messages each day in 2005.

Riding a wave of media attention, hype and new product releases, the worldwide enterprise instant messaging market, which includes both instant messaging server products as well as enterprise instant messaging security, compliance, and management products, jumped 37% in terms of YTY revenue in 2004, and is expected to grow from $315 mln in 2005 to $736 mln in 2009.

CATEGORIES: 1IM, 1instant messaging, 1EIM, 1enterprise IM, 1study,1market,1stats
Rate this post: (Provided by NewsGator)

Nokia to load AV on phones

The mobile phone security drumbeat continues...

Nokia has entered a pact with Symantec to help secure its mobile phones from viruses that target certain kinds of handsets. Under the agreement, announced Wednesday, Nokia plans to arm its Series 60 smart phones with the Symantec Mobile Security antivirus program. The software is designed to ward off attacks that could compromise the extensive data, such as contact databases, that people store on their smart phones, the companies said. The devices typically have many computer-like features, including e-mail and Web browsing, which have made them vulnerable to attacks.

Cell phone virus outbreaks are a small but emerging threat, security experts have said. Nokia and Symantec said their agreement follows two years of joint work to develop mobile security technology. Earlier this year, software maker Kaspersky Lab released its own mobile antivirus software.

CATEGORIES: 1mobile phone security, 1mobile security,1mobility,1phones,1vendors,1agreement,1antivirus
Rate this post: (Provided by NewsGator)

Wednesday, October 05, 2005

Security Facts Roundup

Some security related items from ZDNet's ITFacts for today

Top phishing site hosters: USA - 32%, China - 12%, Korea - 11%

32% of malicious Web sites install trojans and unwanted toolbars
A WebSense survey takes a look at the malicious sites cropping up in the Web. 32% of such sites install trojans and spyware-ridden toolbars, 31% run malicious code without asking the user about it, 28% change user's home page and bookmarks, 5% install dialers, 4% redirect to a different site

CATEGORIES:1phishing, 1malicious code, 1trojans, 1spyware, 1stats,1ITFacts
Rate this post: (Provided by NewsGator)

Securing mobile phones

Companies have done a pretty good job of addressing the most pressing near-term wireless security issues, which are mainly at the network and authentication levels.

  • They've paid a premium for BlackBerry's Triple-DES and Fort Knox-like network operations center.
  • For remote access, most firms use VPN tunnels, which are migrating from SSL- to IPSec-based.
  • Companies also are getting a better handle on wireless LAN security.

That's the good news. The bad news is that few firms have taken a holistic look at implementing a more comprehensive company mobile security strategy. A mobile phone is a mini-PC. IT managers will have to evolve their mentality over the next couple of years, driven by two major developments: the rise of mobile devices as potential hosts/perpetrators of security problems or threats, and the fact that firms don't have a good handle on how their workers use these phones for consumer applications, such as downloading music and playing games.

So what, specifically, should you do? The article discuses the following recommended steps in more detail:

  • Start thinking about mobile device management.
  • Develop mobile policies.
  • Start thinking about anti-spam and anti-virus capabilities.
  • Develop a key point of contact at the carrier.

CATEGORIES:1mobile security, 1best practices, 1mobility, 1tips, 1phones

Rate this post: (Provided by NewsGator)

Only 25% have Cybersecurity Insurance

Life is unpredictable. Catastrophes can and do happen. Fires, floods, bombs and lawsuits: businesses get insurance to protect themselves when things, inevitably, go wrong. But few companies have cyber-security insurance despite the pervasive concern about identity theft and increasing information security exposures.

According to the 2005 CSI/FBI Computer Crime and Security Survey, only 25 per cent use insurance to manage cybersecurity risks, although the vast majority of respondents experienced breaches, with average losses of US$204,000.

Why the low uptake to help manage an area many senior executives say is a top priority? "It's a matter of getting the right price for cybersecurity insurance. It comes down to economics. But this is a tough product for insurance companies." A chicken-and-egg problem is at the core. The percentage of organizations reporting computer intrusions to law enforcement continues its multiyear decline, driven by fears of market backlash. But insurance companies need this fundamental information to discern patterns in cybercrime and develop the actuarial databases that form the basis of insurance risk assessment and pricing.

CATEGORIES:1cyberinsurance, 1risk management, 1business continuity, 1survey,1stats
Rate this post: (Provided by NewsGator)

Tuesday, October 04, 2005

Security by the numbers

PC World recently published a Special Report titled The New Security War which makes an entertaining and informative read. The 2nd last chapter titled "Security by the Numbers" makes for some interesting security statistics:
  1. 31% of businesses rate spyware as a major threat for the next year. [Deloitte Global Security Survey, 2005]
  2. 27% of small or medium-size businesses do not use an anti-spyware product. [Forrester Research, 2005]
  3. 33% of scanned enterprise PCs were infected with adware. [Webroot State of Spyware, 2Q 2005]
  4. 80% of scanned consumer PCs were infected with spyware. [Webroot State of Spyware, 2Q 2005]
  5. 65% of businesses plan to invest in new or additional anti-spyware tools. [Forrester Research, 2005]
  6. 73% of consumers said personal data theft is a deterrent to online banking. [Ipsos Insight, 2005]
  7. 80% of surveyed firms use anti-spyware tools. [Forrester Research, 2005]
  8. 50% of scanned consumer PCs had adware present. [Webroot State of Spyware, 2Q 2005]
  9. $300 is the cost of a do-it-yourself phishing kit. [2005 McAfee Criminology Report]
  10. 13% of Net users say they have an identity theft victim in the household. [Conference Board Research Center, 2005]
  11. 41% of Net users say they're buying less online due to security threats. [Conference Board Research Center, 2005]
  12. 30% of businesses saw unauthorized access to their data. [CSI/FBI 2005 Security Report]
  13. $30.9 million was lost by 639 businesses due to theft of proprietary data. [CSI/FBI 2005 Security Report]
  14. $400 billion was the overall cost of cybercrime in 2004. [2005 McAfee Criminology Report]

CATEGORIES : 1stats, 1report,1spyware,1adware,1phishing,1threats,1trends,1users,1id theft,1crime

Rate this post: (Provided by NewsGator)

Endpoint encryption to go mainstream?

PGP Corp. plans to ship a new encryption software bundle for laptops, desktops and servers, the company said Monday. The new Whole Disk Encryption products offer full encryption of the hard drive disk when a computer is turned off, helping protect the data if the PC is stolen or lost. And the big plus is it's all centrally manageable, which is where corporates stumbled previously when trying to deploy this enterprise-wide.

I am surprised that the big security vendors such as McAfee and Symantec have not climbed onto the PC/Laptop encryption bandwaggon yet. Customers are finally realising that laptops are high risk and in addition to AV and Personal FW want to add H-IPS, Anti-Spyware, Integrity or Compliance Software (for NAC or a Sygate type solution) and finally data encryption.

I think the data encryption demand is a result of several high profile disclosures in the US of laptops with highly sensitive data having been stolen or gone missing. If you look at the graphic table on a previous blog entry titled Publicized security breaches to rocket you will see that data taken from the Privacy Rights Clearing house shows "Stolen Laptops or computers" as the 2nd largest root-cause of data compromise in public disclosures since Feb this year (15 incidents with 500,000 identities exposed) and I think customers are finally getting it that laptops are
  1. at high risk from infection (so they need AV, IPS, Anti-Spyware)
  2. at high risk from infecting others (so they need their integrity checked -NAC, Sygate etc.)
  3. at high risk from being lost/stolen (so they need their sensitive data encrypted)

It would be nice if one security vendor tied this all up into a nice neat little knot...I think customers will be more inclined to purchase encryption software from a vendor that already has a footprint on their PC's, especially if it is already doing 1, even more so if its already doing 2, rather than buying a seperate suite. Currently our customers use one of PGP (niche, still techy use and not corporate but about to change with this announcement today), Utimaco (German company posting 41% growth for 2005) , SafeBoot and PointSec.

Its actually a darn pity McAfee sold off PGP - they would have made a nice complement now that so much security focus is moving to the endpoints.

CATEGORIES:1encryption, 1mobility, 1laptop security, 1endpoint security, policy enforcement, 1compliance,1vendors

Rate this post: (Provided by NewsGator)

Web Security Trends Report

Websense, Inc. today announced the release of the 2005 Semi-Annual Web Security Trends Report issued by Websense Security Labs. The new report summarizes findings for the first half of 2005 and presents projections for the upcoming year. According to the report, the web continued to evolve and grow as an attack vector in the first half of 2005.

The report found a marked increase in the number of malicious websites and in the amount of “crimeware”, a term which refers to using malicious code written with criminal intent. The phishing landscape also changed considerably, and the report identified significant differences in the types of targets and variety of attacks. Spyware has also changed in the way that it is being used, with increasing use of keyloggers and “screen scrapers”, which are Trojan horses designed to capture end-user screenshots, in acts of industrial espionage.

Download the report in PDF format here

CATEGORIES: 1report, 1stats, 1web security, 1crimeware, 1malicious code, 1spyware, 1phishing
Rate this post: (Provided by NewsGator)

Worms take aim at IM and P2P

Yes, I am on the IM and P2P security bandwaggon again!

The number of threats detected for IM and peer-to-peer networks rose a whopping 3,295 percent in the third quarter of 2005, compared with last year, IMlogic said in a statement Monday. That brings the total year-to-date increase for 2005 over the previous year to 2,083 percent, the security software maker said.And as the attacks increase in number, they also get smarter, IMlogic said. Worm writers are coming up with more effective ways to get people to click on links to their malicious code, and worms can increasingly hop from one IM network to another, it noted.The numbers echo data reported by Akonix Systems, a rival vendor of IM security products. Last week, Akonix said it identified a record 25 IM pests in September, with seven new threats. The number of attacks in the third quarter averaged just more than one per day, Akonix said.

Businesses can use products from various providers, including IMlogic, Akonix and FaceTime Communications, to protect against IM pests and manage IM usage.

CATEGORIES: 1IM, 1P2P, 1stats, 1worms, 1malicious code,1vendors
Rate this post: (Provided by NewsGator)

Symantec buys BindView

To give another indication of the roles that Integrity Architectures would play in our lives in the future, Symantec plans to acquire compliance specialist BindView for $209 million in cash. BindView, based in Houston, Texas, develops security software that is designed to automate policy and compliance management, vulnerability and configuration management, and directory and access management. Companies have come under increasing pressure to adopt such technologies in order to meet the demands of financial reporting regulations such as those laid down by the Sarbanes-Oxley Act.

The deal comes less then two months after Symantec purchased Sygate Technologies, another regulatory compliance specialist. The BindView purchase is designed to round out Symantec's policy compliance and vulnerability management lineup. With the Sygate aquisition, Symantec currently offers an agent-based technology architecture in which an agent is installed on each system to check for regulatory compliance and management. But for computer systems that do not need agents installed on end-point devices and can be accessed remotely, an agent-less product like that provided by BindView would be used.

When the big hitters start spending big bucks on Integrity Architectures and Admission control products you know we are in a market making phase. We are going to see interesting battles with the likes of Cisco's NAC which takes an "embedded in the network infrastructure" approach versus Symantec and others who are taking appliance based approaches.

CATEGORIES: 1endpoint security, 1integrity architectures, 1admission control, 1compliance management, 1aquisitions, 1access management,1vendors, 1policy enforcement
Rate this post: (Provided by NewsGator)

Cisco log analysis for cheap bastards

Here is a great paper published last week that I came across from Mark Lachniet titled "Cisco Network Log Analysis for Cheap Bastards".

The paper is intended to explain why network logging and log analysis is important, what systems to log and provide detailed screen-shot sampled instructions for people who want to do this on their Cisco equipment (especially the PIX firewall) without spending a lot of money. Although you may not get all of the spiffy features that you will find in high-end offerings from companies like Cisco, NetIQ, NetForensics, Network Intelligence, Symantec and others, you can get a very good security bang for the buck with simple and inexpensive systems. Although this document is specifically intended for logging on a Cisco PIX, pretty much the same commands should work for other devices such as routers. You will see different screens, and may detect them differently, but it is essentially the same process.

Given how pityfully few customers I know and see in the field actualy perform log collection, let alone log analysis, my view is that any system is better than nothing, even if its really basic and simple. If its almost free to implement then so much the better. Maybe by clients starting with this really simple process they will begin to understand the benefits of logging/analysis and start appreciating what the bigger SIM/SEM products can provide.

CATEGORIES : 1SIM, 1SEM, 1best practice, logging, 1log analysis,1tips
Rate this post: (Provided by NewsGator)