Texas adds to Sony Lawsuit

The Attorney General for Texas added specific complaints to the state's existing lawsuit against music giant Sony BMG, alleging that the company installed copy-protection software on consumers' PCs even when the users did not agree to the software's license.

"We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music," Greg Abbott, the Attorney General for the State of Texas, said in a statement. "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes."

Texas became the first state to file a lawsuit against Sony BMG in November, following revelations that the media company had installed surreptitious software programs on the Windows computers of consumer's who tried to listen to the company's music titles. The Attorney General for the State of New York is investigating the company's practices and several private lawsuits have been filed against the company.

The latest additions to the Texas lawsuit allege that Sony BMG's copy protection software--made by either First4Internet or SunnComm--have flaws that undermine the security of any PC on which they are installed. Moreover, the lawsuit claims that even consumers who do not agree to the Sony BMG license could still find the copy protections installed on their system. The new allegations are violations of the Texas Deceptive Trade Practice Act, according to the Attorney General's office.

CATEGORIES : 1spyware, 1legal, 1lawsuit, 1sonygate

Top trends for 2006 : Red Herring

Red Herring have released their Top Security trends for 2006, with the headline "Security threats will become more sophisticated in 2006, keeping security startups and their customers on their toes."

Data theft wasn’t the only danger in 2005. An Internet worm, Zotob, infected computers at media companies like CNN and financial behemoths like Visa in August. And email nuisances, spam and phishing, were also on the rise. Will it get better in 2006? Not really, say security experts. In fact, the threats may get worse. That’s because just as security systems become more sophisticated, the threats will become more complex and innovative—all in an effort to stay a step ahead.

Here are the security trends to watch for in 2006:

1. Phishing Frenzy
Phishing, the practice of sending fraudulent emails to encourage users to divulge personal or financial information, will increasingly target customers of smaller organizations in 2006.

2. Business Worm’s Rise
Before Zotob struck, computer attacks were often directed at home users. But this worm, which exploited a vulnerability in Microsoft’s Windows operating system, affected businesses, marking the rise of Internet criminals focused on financial gain.

3. Insider Threat
Many of the data leaks in 2005 may have stemmed from poor security measures. And while companies spend millions securing their networks from intruders, they often ignore one of the most likely sources of leaks: insiders or company executives who can inadvertently or deliberately leak information.

4. Increasing Network Control
The threat of crooked insiders and more stringent compliance regulations will force companies to implement identity-driven networks that control who uses a network. Driving the change is legislation like Sarbanes-Oxley, which calls for specific security measures and complete visibility into network users, devices, addresses, policies, and activity.

5. Wireless Security Focus
Hackers are finding it increasingly easy to steal information from devices that contain people’s private data, as a growing number have wireless capabilities, said security experts. Wireless technologies like Wi-Fi may be more widespread, but many users are still ignorant about the security measures they must use on these networks to keep hackers at bay. Security experts see 2006 as the year when threats on wireless networks will come of age.

6.Increased Security Legislation
Over the last two years, a number of states have enacted laws similar to one in California requiring companies to disclose security breaches to protect state residents from identify theft. In 2006, a federal law along these lines is a strong possibility, security experts said.

7. Voice Spam Begins
The popularity of Skype and VoIP will lead to new forms of spam attacks next year, security experts predict. As VoIP applications become more widely used, there will be a rise in voice spam.

8. Selling to SMBs
Of course, all these new threats can mean new business for security companies. Traditionally, security companies have focused on selling their products to bigger players as large organizations have big IT budgets that will let them spend on securing their networks. But as smaller firms become the targets of security attacks, security startups will pay more attention to them

CATEGORIES : 1future, 1predictions, 1trends

ITSecurity Magazine reprint

The folks at IT*Security magazine liked the "Outsourcing=Bad Security?" feature story and you can see a revised version of it published on their online publication.

You can download the feature story PDF here Outsourcing : Does it have to mean bad security?

CATEGORIES: 1feature, 1white paper, 1publications

Site Readership

UPDATED : 21 December 2005

WEB SITE
There have been 4,100 unique web site visits to SecurityWrap since 20th May 2005, accounting for over 8,500 page hits (3 days' stories per page). There are 25 unique visitors per day generating 50 hits (on average)

RSS NEWSFEEDS
There have been 2,600 unique visits generated to the XML (RSS) daily feeds since 20th June 2005, accounting for 10,500 hits or "views" of the days' stories. There are 34 readers subscribing to the RSS feeds daily generating 108 hits per day (on average)

TOTAL STATS
6,700 unique visits and 19,000 "hits" in last 7 months
50% of readership is from Dimension Data, and 50% from the Internet.
20% of readership come from Google, Yahoo, Blogwise and Technorati search engines

CATEGORIES : 1siteinfo

ABN Amro ditches tapes

ABN Amro Mortgage Group Inc. has decided it will no longer send data tapes to its credit reporting bureaus after one of those tapes -- with the private information of more than 2 million customers on it -- went missing a month ago (see "Update: Missing ABN Amro tape with 2 million names found").

Instead, according to ABN Amro Mortgage Group CEO Thomas Goldstein, the company will encrypt data and send it over secure networks when possible. Otherwise, it will use special couriers in an effort to avoid another tape loss.

Click on the image above to view ABN Amro fax sent to the 2 million affected customers.

CATEGORIES: 1encryption, 1victim, 1data loss

FEATURE:Outsourcing = bad security?

PREVIOUS CHAPTER : CAVEAT EMPTOR

CHAPTER SEVEN : MAKING A CAREFUL CHOICE
As applications such as Telephony, P2P and Live Messaging rapidly converge onto the network infrastructure, the security of this infrastructure becomes more complex and important. In addition we are finding a strong convergence of network, systems and security management as companies like Microsoft and Cisco embedd more security functionality into their OS and networking fabrics.

Network Access Control (NAC) and other "Integrity Architectures" are emerging to take their place in the self-defending network of the future, which means configuration, identity and asset management are going to play larger roles in future managed, secure infrastructure. Also, we have seen recently that infrastructure components themselves are subject to security vulnerabilities (see the CiscoGate landing page ). Now the proactive "Assurance" management of those devices themselves become as important as managing standalone firewalls and IDS's. This implies enhanced configuration, security and patching management are going to play increasingly important roles in infrastructure management.

All this means that careful deliberation needs to be given to the partners used in outsourcing contracts as you cannot land up with a situation where multiple parties land up having to manage the same devices to achieve their respective goals. This may just defeat the security objectives of having too many people with "their fingers in the pot". Many MSSP's will insist on full device control to provide their services. That was fine with standalone firewalls and IDS/IPS's, but what do you do when the firewall/IDS/IPS functionality is becoming embedded into standard routers? Who manages the router bits and who manages the security bits in that device?

Just as applications are converging onto the network, and security is converging into the network and applications/OS we will find that outsourcing functions will converge and customers will increasingly seek out systems integrators and outsourcers that have skills in network management, desktop and branch office life cycle management, systems management and configuration management in addition to world class security expertise. This may very well spell the demise of the boutique security shop or niche managed security services player over time.

This brings our seven-part feature to a close. The final bit of advice is that customers need to try and include infrastructure "Security Assurance Level Agreements" with their standard Service Level Agreements in outsourcing contracts in the future, and minimise the amount of people managing the network components.

JUMP TO LAUNCHPAD FOR THIS FEATURE STORY

NOTE : This was turned into a feature publication in the January 2006 issue of IT Security Magazine. See here for details.

CATEGORIES : 1outsourcing, 1feature, 1best practices, 1advice

Reflections on 2005

We are heading fast for the end of 2005 and it was a year with no shortage of InfoSec action.

Here is my personal summary of the biggest or most important security stories that occured in 2005 from the 350 postings recorded on this site since May 10th. Selections are made based upon the importance or relevance of the information they provide or their impact/influence on trends we can expect to see developing in the future.

MAY
Microsoft enters the Antivirus Market

JUNE
Data Security Laws sprout in the US in wake of data breaches
Cardsystems breach exposes 40 million account details
Security concerns severely stunt e-commerce

JULY
Sarbanes Oxley worsens security
Proffessional cybercrime takes hold
Cisco IOS flaw revealed at BlackHat conference

AUG
Wave of Network Worms strike the globe
Publicized security breaches to rocket
Jericho forum challenge winners announced

SEPT
VOIP driving security market
It's official : Combat Spyware at the Gateway
Gartner warns of offshore security risk
Security dominates SOX product spend
CIO/PwC Global State of InfoSec study

OCT
Endpoint data protection will become a big issue and focus
First TNC products released
Top security mistakes to avoid
ISO 27001 Standards published

NOV
Industry Group plans secure VOIP Practices
Security key to convergence
The Sony DRM security fiasco
Regulators force banks to two-factor authentication
Cisco IOS makes it to SANS Top-Twenty lists
Cybercrime proceeds bigger than drug trafficking

DEC
InfoSec proffessionals gaining clout in boardrooms
Spyware soars in 2005


CATEGORIES: 1reflections, 1trends

2006:Year of mobile malware

Mobile security threats are expected to triple next year as smart phones and other mobile devices become more prevalent, according to a study released Monday by McAfee Avert Labs. The number of malicious software programs created for mobile devices is expected to reach 726 by the end of 2006, up from an estimated 226 at the end of 2005, according to McAfee.

Mobile malware is not the only area expected to rise in the new year, said Craig Schmugar, virus research manager for McAfee Avert Labs. Targeted phishing attacks and potentially unwanted programs (PUPs), such as adware and spyware, are also anticipated to increase. But growth in malicious programs for mobile phones is expected to accelerate the fastest. "They're gaining increased interest from the virus (writing) community," Schmugar said. "And as these devices become more pervasive, they become a bigger target."

Compounding the problem is consumers' lack of interest in applying security software to their mobile devices, Schmugar added. Many consumers view the threat of a mobile attack as less likely to affect them than an infiltration on their PCs, he noted.

CATEGORIES: 1mobility, 1virus, 1trends, 1predictions, 1endpoint security

Guidance Software Hacked

Now this is crazy - Guidance is supposed to be a respected software vendor in the security business!

Online attackers breached the security of a server at digital forensics firm Guidance Software and stole the account information of nearly 4,000 customers, the company acknowledged on Monday according to news reports. The breach, which took place in November, resulted in the loss of customer names, credit-card numbers and the three-digit card verification values (CVVs), which merchants are not supposed to retain, according to reports. The company discovered the theft on December 7 and notified customers by mail. A company spokesperson was not immediately available for comment.

CATEGORIES : 1hack, 1id theft, 1breach, 1disclosure

Survivors Guide to 2006

As 2005 comes to a close, we should cast our thoughts to preparing for 2006. Network Computing has released a number of excellent "Survivors' Guides for 2006" and the two that are relevant for this weblogs' users are Survivors Guide to 2006 : Data Protection and Survivors' Guide to 2006 : Security.

These are good reads and a few excerpts follow:

DATA PROTECTION
Tsunamis. Hurricanes. Accounting fraud. Worms. Viruses. Stolen data. When we named our annual "Survivor's Guide" issue back in 2000, we didn't mean it quite so literally. But after a year fraught with natural and man-made disasters, many IT professionals say their top priority for 2006 is not deploying new technologies, but protecting their data--and their businesses. More than 56 percent of 1,700 Network Computing readers surveyed in 2005 ranked "data security/privacy" a prime target for IT spending in 2006, making it the most frequently cited spending priority.

Why is data security so high on IT's 2006 priority list? Because so many companies were burned--or flooded, or robbed--in 2005. About 16 percent of enterprises experienced some sort of business-interrupting disaster during the year, according to a study of more than 1,200 businesses conducted by AT&T and the International Association of Emergency Managers. Sixteen percent of those enterprises lost $100,000 to $500,000 per day, and 26 percent admit they still don't know how much the disasters cost their companies.

SECURITY
The writing is on the wall: Organizations and individuals will be held accountable for security breaches. The rash of exposures of personally identifiable information (PII) from the likes of ChoicePoint, Lexis-Nexis, Bank of America, CardSystems and a host of other for-profit and nonprofit organizations is just the beginning. Luckily for consumers, state and federal lawmakers are introducing regulations that require exposures to be reported. Someone's head is going to roll; don't let it be yours. The cause of data loss, however, varies by case. The common exposures are lost or stolen hardware and backup tapes, insider abuse and weak application development leading to exploited security holes and inadvertent exposures. And those are just the breaches that have made it into the press. The clean-up costs in rebuilding reputation, paying fines and legal fees, and re-architecting compromised systems can run into tens or hundreds of thousands of dollars

CATEGORIES : 1data protection, 1security, 1reports, 1trends, 1survey, 1stats,1advice

Thomson CSO gives lowdown

Dennis Devlin said the reason that CSOs like himself have gray hair is that they get paid to think about the worst things that can happen to their organizations. And companies that do this well don't have to scramble as much when IT security threats emerge, he says.

Devlin shared his experiences as an enterprise decision maker yesterday at a Massachusetts Network Communications Council seminar on network security. Representatives from Cisco Systems Inc., Kroll Ontrack and RSA Security also participated. The Thomson executive heads a council of senior security officers at his company, which employs 38,000, and works with line-of-business personnel. "Security is definitely a team sport," he said.

Devlin said enterprise network security is evolving from what he called an egg model, in which the exterior is hard and the inside is soft, to a stealthy submarine model, where data is compartmentalized, and protection is approached from the inside out. Thomson uses technology from a host of companies, from big names such as Cisco to a mix of start-ups. But beyond technology, end-user awareness is hugely important, Devlin said. That's both in terms of what information they can and can't divulge to outsiders, as well as what constitutes appropriate network behavior.

While Devlin said he doesn't wish for bad things to happen to his counterparts at other companies, he added that CSOs must pounce on opportunities to justify security investments when for example, another company loses backup tapes or has its network crippled by a worm. "You want to use real-life business examples," he said.

Hopefully this weblog can help you with these "opportunities"...

CATEGORIES: 1panel, 1advice, 1trends, 1best practices

Global InfoSec Workforce Study summary

Ciske van Oosten of our European practice, kindly provided this nice summary of the 28 page report on this study. Many CISSP's received a free copy of this report - which can be downloaded from the (ISC)2.org website.

The 2005 Global Information Security Workforce Study (GISWS) was conducted during the summer of 2005 on behalf of (ISC)2, a nonprofit organization dedicated to providing education, certification, and peer-networking opportunities for information security professionals worldwide. (ISC)2 engaged IDC for the second consecutive year to provide detailed insight into the important trends and opportunities in the profession worldwide. This report had 4,305 respondents representing 81 countries. The number of information security professionals worldwide in 2005 is estimatedto be 1.4 million, a 9% increase over 2004.

Security Trends and Challenges
Security is becoming operationalized. Movement is away from reactive security, and a more proactive risk management approach is taking hold in large organizations. Government compliance requires due diligence and a longer-term strategy. Regulations are forcing organizations to evaluate and modify their business processes and operations with security in mind. Complexity persists as a security factor. The growing number of systems, networks, applications, and users creates an enormous management challenge.

On training and certification
The number of individuals reporting achievement of a master's degree or itsequivalent first stage of tertiary education was up in 2005. For example, 42% ofprofessionals in Europe, Middle East, and Africa (EMEA), compared with 32%last year, reached this level of education. More than 60% of information security professionals stated that they intend to acquire at least one more certification in the next 12 months. On average, 86% of security professionals said that security certifications are important to their career advancement. Certifications are not only important from a career standpoint, but further training enables professionals to stay on top of the most current trends, identify how trends will impact risk to their organizations, and determine best solutions/practices for mitigating risk in the overall context of their organizations' risk management strategies.

The results suggest that the security profession in Central Europe, Middle East, and Africa is not as mature as Western Europe's.

Specifically for the European region:

Top 5 Areas of Interest for Additional Security Training :

1. ISO/IEC 17799
2. Information risk management
3. Business continuity and disaster recovery planning
4. Security management practices
5. Forensics

Top 5 Security Technology Solutions Being Deployed:

1. Identity and access management
2. Security event or information management
3. Business continuity and disaster recovery solutions
4. Risk management solutions
5. Wireless security solutions

CATEGORIES: 1survey, 1summary, 1trends, 1training, 1certification, 1compliance

Security chiefs stuck in middle

Corporate security experts face a crisis as they are caught between regulators demanding better accountability for data security and the need to keep businesses up and running with the help of many business partners, an American Express security executive told Interop New York attendees.

As more data is housed at least temporarily outside corporate data centers, it becomes more difficult to comply with industry and government regulations, said Steven Suther, director of information security management for American Express. "Tell me where your data is and how it is being secured," regulators want to know, he says. "So we need to define at what point is information outside our domain and how is it being protected." But businesses have very little control over how partners with whom they must share data protect it, he says.

CATEGORIES: 1comments, 1users, 1tradeshow, 1survey, 1compliance

Korean banks forced to compensate hacking victims

The South Korean government is introducing legislation that will make it mandatory for financial institutions to compensate customers who have fallen victim to online fraud and identity theft.

The new laws will require financial firms in the country to compensate customers for virtually all financial losses resulting from online identity theft and account hacking, even if the banks are not directly responsible. The country's Ministry of Finance and Economy (MFE) is planning to introduce the legislation in September 2006. MFE says the new laws will help alleviate the fears of some 23 million Korean e-banking, phone banking and ATM users over incurring losses due to online identity theft.

CATEGORIES: 1id theft, 1legislation, 1trends, 1legal, 1law, 1compliance, 1fraud

Databreach wrapup - Nov 2005

According to the Privacy Rights Clearinghouse, here are the publicly disclosed data breaches reported for the month of November 2005.

There were 10 incidents totalling over 2 million identities that were compromised. Lost or stolen laptops/computers accounted for 50% of the incidents and also 50 % of the compromised identities. Compromises of personal information involve data elements useful to identity thieves – such as social security numbers, bank accounts, and driver's license numbers.

It is only a matter of time before we can expect pervasive encryption on laptops and other mobile devices. The scary thing is that since mobile devices such as PDA's and smartphones are genrally under ownership and bought by private individuals, the loss or theft of these devices is probably grossly under-reported since most organsiations do not have visibility of this.

CATEGORIES : 1id theft, 1data breaches, 1stats, 1privacy, 1mobility, 1endpoint security, 1thefts, 1hack

Email spills corporate secrets

Six percent of workers admitted that they've E-mailed confidential company information to someone they shouldn't have, according to a study released Monday, while 62% said they've used their personal email accounts for business purposes to circumvent security controls placed on their business accounts.

This is according to a study released Monday by messaging research firm the Radicati Group.
"While 6 percent may seem like a small number, in a 10,000-user organization, it translates to 600 employees leaking intellectual propert" said Sara Radicati, president of Radicati, in a statement. "It only takes one e-mail to leak critical trade secrets that can cripple an organization's business strategy."

Sixty-two percent of those polled admitted to sending business messages from their personal accounts; 25 percent said that they regularly forwarded mail from their business to their personal account.

CATEGORIES : 1email security, 1stats, 1users, 1study, 1research

ISF warns of VOIP security

A new report from the Information Security Forum (ISF) warns that along with existing security problems associated with IP networks, VoIP will present new and more sophisticated threats - such as caller ID spoofing, voice modifiers, SPIT (voicemail SPAM), packet injections , virus infections and denial of service (DoS) attacks.

With VoIP now poised to hit the business market in a big way, the ISF believes that failure to address these serious risks may bring voice communications to a grinding halt and result in identify theft and loss of sensitive information.

The problems of poor quality transmission and loss of service are gradually being overcome, which is expected to lead to more widespread adoption and reliance on VoIP in the future. This trend is also being driven by cost savings, improved functionality, ease of access and low cost of entry.

CATEGORIES : 1report, 1industry, 1voip, 1threats, 1trends, 1future

Data breach at Sam's Club

Sam's Club, a division of Wal-Mart Stores Inc., is investigating a security breach that has exposed credit card data belonging to an unspecified number of customers who purchased gas at the wholesaler's stations between Sept 21 and Oct. 2.

In a brief statement released Dec. 2, the Bentonville, Ark.-based company said it was alerted to the problem by credit card issuers who reported that customers were complaining of fraudulent charges on their statements

CATEGORIES: 1hack, 1victims

UK charity hacked

Hackers have stolen the personal details of thousands of donors to a Christian charity Web site and tried to extort money from the victims.

U.K. charity Aid to the Church in Need admitted Monday that its online security systems had been breached by hackers. The charity does not yet know how much money the criminals have stolen, but the addresses of more than 2,000 online donors have been compromised, and the hackers have used these details to contact the benefactors directly to try and extract more money.

Nasty....

CATEGORIES: 1victims, 1hacking, 1idtheft, 1extortion

FEATURE:Outsourcing = bad security?

PREVIOUSLY : FALSE SENSE OF SECURITY

CHAPTER SIX : CAVEAT EMPTOR (Let the buyer beware)

For those organizations who simply can not afford the investment in resources (both people & technology), be sure of what services you are buying and specifically what exclusions there are in any outsource contract. Frequently, outsourcers offer low bids to get the business and then try to make it up for it in change or out-of-scope orders. But we now know that running IT security three years from now the way you run it today will not work. Threats, vulnerabilities and mitigation procedures have changed dramatically over the years and you must be able to adapt your contract and the underlying security architectures used to keep pace.

If you have questions about the service level commitments or the verbiage in the contract, consult a trusted advisor. A technology partner, independent auditor or legal counsel can help navigate through the complexities. For international and multi-national organizations, it is important to seek advice on compliance requirements in each country you do business in and find out how your service provider is addressing those requirements. Once you understand what the outsourcer is going to do, you need to figure out how you are going to fill the gaps.

Things to consider if you are going to outsource security, either in its entirety or as part of a bigger infrastructure outsource contract:

1. Note that compliance is the responsibility of the company, not the outsourcer;
2. How does the service you are buying enable you to better manage risk?
3. What are the terms of the agreement? Check SLAs, limitations and exclusions so you know exactly what you are getting for your investment;
4. Be prepared to respond when incidents occur – this means you need an incident response plan and someone to handle the response. You must require the contractor to support post-incident review.
5. Verify that your outsourcer is compliant with all relevant legislation where you do business and verify the security procedures and security best practices deployed by your service provider
6. Define security-related roles and responsibilities clearly and completely and specify clear security objectives in the SLA for integrity, confidentiality, availability, accountability and use control.
7. Appoint a security officer even if it is a secondary role to start. The security officer should have a direct reporting line to an executive empowered to address tough questions and make decisions that impact the risk exposure of the company.
8. Retain the ability to monitor and audit the outsourcer's environment to independently verify fulfillment of all the objectives and expectations.
9. Ensure contract terms are flexible enough to allow you to adapt to a rapidly changing threat landscape and to avoid being throttled by organizational walls that outsourcing erects and the difficulty of anticipating all the contingencies in a contract.
10. Measure contractor performance through security metrics such as number of incidents, time to respond to incidents, best practices benchmarking etc.
11. Even if you're using best practices frameworks such as the IT Infrastructure Library (ITL) or CoBIT for SLAs, make sure you don't rely on them for security - use security specific frameworks such as ISO 17799:2005 instead.

NEXT : MAKING A CAREFUL SELECTION ON SERVICE PROVIDER

NOTE : Thanks to Chris Thatcher from our North American practice for assisting with this chapter

CATEGORIES : 1feature, 1outsourcing, 1best practices, 1advice

Lock down IOS in 10 steps

It's difficult to overestimate the importance of securing Cisco routers since they provide the communications backbone for so many organizations throughout the globe.

Various industry sources such as SANS (see IOS makes it to SANS top-20) and Symantec (see Hacking to change tack in 2006) have warned that IOS devices are prime attack targets moving forward. We have also discussed the importance of securing your Cisco IOS in various postings you can access from the CiscoGate landing page .

However, as we have identified on previous posts, simply patching your IOS is a non-trivial affair, and the next best strategy while you are grappling with the IOS patching issues is to at least harden or "lock down" these devices. We covered some very detailed and comprehensive tools to do this near the end of the IOS exploit and auditing tools post, however, if you are in a "rush" to do something quickly, I found two great resources on TechRepublic. You will require quick free registration to download the documents.

Cisco IOS Router : Lock it down in 10 steps

Cisco PIX firewall : Lock it down in 10 steps

CATEGORIES: 1vulnerabilities, 1ios, 1ciscogate, 1best practices, 1advice

Hacking to change tack in 2006

Mobile devices, Cisco routers, Oracle software, VoIP and Windows Vista : businesses can expect all these and more to become hacker targets in the next year and beyond, according to Symantec.

Symantec thinks one of the biggest developments will be attacks and attempts on alternative devices and platforms. As networked and user devices gain more intelligence and more computing power, they may become targets. "We're seeing a shift in emphasis over to non-PCs: your router, your switch, your back-up device," Cole says. "It's like whack-a-mole. You hit one and another pops up. We've now got to make sure the entire infrastructure is protected."

CATEGORIES: 1trends, 1forecast, 1predictions, 1hacking

$6Bn bill for Sarbanes Oxley

AMR Research estimates that companies will spend $6 billion on complying with Sarbanes-Oxley Act (SOX) requirements in 2006, on par with the $6.1 billion that will be spent in 2005. These findings are based on a recent study conducted by AMR Research in which over 300 business and IT leaders were surveyed on their Sarbanes-Oxley and broad compliance spending priorities.

In 2006, there will be key differences in how budgets are spent. Budgets allocated to internal headcount are expected to fall by 8% while the technology allocation will grow by more than 13% in real dollars over 2005 numbers. External consulting activities, which do not include audit fees, are expected to hold steady in 2006.

$2.3 billion (39%) - Internal labor / headcount
$1.9 billion (32%) - Technology
$1.8 billion (29%) – External consulting

Given that technology growth will be 13%, I would say that a large chunk of this will be security related, based on findings of a previous survey - see Security dominates SOX product spend

CATEGORIES : 1study, 1research, 1users, 1spending, 1stats, 1compliance

Home PC's lack security

A survey of home PC users found 81 percent lacked at least one of three critical types of security, but the number of consumers using firewalls and updated antivirus software is improving.

The vast majority of consumers surveyed were found to lack at least one of three types of critical security--a firewall, updated antivirus software or anti-spyware protection, according to a report by America Online and the National Cyber Security Alliance. Of this group, 56 percent had no antivirus software, or had not updated it within a week, while 44 percent did not have a firewall properly configured, according to the report. Meanwhile, 38 percent of survey respondents lacked spyware protection.

Nonetheless, some improvements have been made. The number of homes with properly configured firewall protections rose to 56 percent from 28 percent a year ago.

CATEGORIES: 1users, 1antivirus, 1spyware, 1endpoint security, 1survey, 1stats

Airport codes leaked

Passcodes needed to enter secure areas at 16 Japanese airports and one in Guam have appeared on the Internet after a virus infected a computer belonging to a Japan Airlines Corp. (JAL) co-pilot, the airline said today.

The codes, which included those for Tokyo's Narita and Haneda airports and an airport in the U.S. territory of Guam, are typically known to scores of airport workers who need to gain access to areas normally off limits to passengers, said Geoff Tudor, a spokesman for JAL in Tokyo. Airline staff, particularly those on domestic routes, need to know a large number of codes because of the numerous airports served and typically have a list similar to that leaked, he said.

CATEGORIES: 1hack, 1passwords, 1mobility

Cartoon : Bill Gates Hack

CATEGORIES : 1cartoon, 1microsoft, 1bill gates

Phishing Scams Dupe 70% of Targets

Now this is really concerning - it looks like organised crime is onto a darn good business model here. Much better than spamming in fact. A study released Wednesday by America Online and the National Cyber Security Alliance looked at Internet security and "phishing scams." Phishing refers to e-mails that appear to come from banks or other trusted businesses and are used to induce recipients to verify their accounts by typing personal details, such as credit card information, into a Web site disguised to appear legitimate.

About one in four Internet users are hit with e-mail scams every month that try to lure sensitive personal information from unsuspecting consumers, the study says. Of those receiving the phony e-mails, most thought they might be from legitimate companies. Seven in 10, or 70 percent, were fooled by the e-mails, said the report.

The study found nearly three-quarters of those surveyed, 74 percent, use their computers for sensitive transactions such as banking, stock trading or reviewing medical information. That leaves phishers with a good chunk of Internet users to target.

A bit different from spamming where you work off 0.1% hit rates I would say!

CATEGORIES: 1phishing, 1cybercrime, 1report, 1stats, 1users

Spyware soars in 2005

Companies have seen a dramatic increase in spyware infections this year, according to the 2005 Security Threat Management Report from antivirus software company Sophos PLC.

Sophos attributes the increase to the business model used by virus writers. The goal for virus writers is financial gain through long-term infection, which is why spyware usage has been so prevalent.

The global report, (registration required), which was released Tuesday, found spyware rose to 66.4% of all malicious software threats in November this year. In January, 54.2% of all threats included a spyware payload and the year to date has shown a 48% increase in malware compared to 2004.

CATEGORIES : 1spyware, 1report, 1stats, 1trends, 1threats

CSOs, CISOs Gaining Clout in Boardrooms

A study released today by the International Information Systems Security Certification Consortium, also known as the (ISC)2, shows that CSOs are gaining clout in the boardroom as they -- and their boards of directors and CEOs -- are more accountable for information security and risk management strategies.

A release from the group said the study showed the "ultimate responsibility for information security moved up the management hierarchy, with more respondents identifying the board of directors and CEO, or a CISO/CSO as being accountable for their company’s information security."

The study, based on survey of 4,305 information security professionals in 80 countries -- was conducted by International Data Corp. Specific findings include:

• The majority of respondents – 73% – expects their influence with executives and the board of directors to increase in the coming 12 months, as talks between security and other business executives shifts from technical subjects to risk management strategies.
• Nearly 21% of respondents, up from 12% in 2004, say their CEO is now ultimately responsible for security.
• For the CIO, security accountability dropped to about 30.5%, from approximately 38% in 2004 and rose to 24% from 21% in 2004 for CISO/CSOs.
• Organizations spend on average more than 43% of their IT security budgets on personnel, education and training.
• Professionals are looking for additional training in business continuity (50.5%), forensics (50.3%), and risk management (48%), all of which factored higher than the demand indicated in 2004.

CATEGORIES : 1trends, 1risk management, 1compliance, 1stats, 1study

Cisco's Chambers on Security

Cisco Systems Inc. CEO John Chambers talked yesterday about competition, partnerships, security and emerging markets to reporters at the company's 11th annual Worldwide Analyst Conference at Santa Clara yesterday. Among other things, here were his comments on security vulnerabilities with Cisco IOS and other products.

"Security is something that will be with us for another decade and beyond. As quickly as you evolve a solution, another set of problems comes up. We made the decision as a company 10 years ago that security was an architectural play, and acquired 15 companies to handle the problem -- and have over 1,500 Cisco employees in the security area. We have begun to build self-defending networks.

Like any architecture that works end to end, there are elements you add to constantly improve, and it's a constant battle. Do we have issues we have to address with security? Yes. And we encourage security researchers. But you don't get ahead by putting [a vulnerability] on the front page of a paper, because you hurt everyone. Let us address it and find the right way to go about [fixing vulnerabilities]. We have 60 partners working on Network Access Control. You can call us the Switzerland or a leading player in this partnership.

This challenge will slow down the whole industry. Most security researchers want to help and don't intend to hurt people. We don't [want] anybody to take this tremendous asset and cause exposures, to bring down hospital networks and 911 networks. "

CATEGORIES : 1vulnerabilities, 1ciscogate, 1disclosures, 1nac

New York breach law goes live

New York has joined the growing list of U.S. states requiring that companies notify their customers whenever private information has been compromised. On Wednesday, the state's Information Security Breach and Notification Act went into effect. The law, which is similar to California's SB-1386 notification law, requires businesses and state agencies to inform New York residents "whose unencrpyted personal information may have been acquired by an unauthorized person."

New York's Notification Act is one of a growing number of legislative and regulatory efforts that are forcing executives to pay more attention to security. Now, like in California, if your information is compromised, or if you have reason to believe it may have been compromised, you have to report it. There's a real risk to brand name and to your public reputation.

According to a recent survey of security breach victims in the U.S., 20 percent of respondents said they had terminated their relationship with the company in charge of the data. Another 40 percent said they would consider doing so, according to the study, which was conducted this year by Ponemon Institute LLC.

Since California's notification law was passed, it has brought dozens of information security breaches to light and put computer security and privacy in the public spotlight. The first company to disclose a security breach under the California law, information vendor ChoicePoint Inc., recently took a US$6 million charge for legal expenses and fees related to the theft of personal information belonging to 145,000 consumers that had been stored in its database.

CATEGORIES: 1first, 1legal, 1privacy, 1id theft, 1compliance

ISS witholding IOS vulnerabilities

The computer security researcher who revealed a serious vulnerability in the operating system for Cisco Systems routers this year says he discovered 15 additional flaws in the software that have gone unreported until now, one of which is more serious than the bug he made public last summer.

Mike Lynn, a former security researcher with Internet Security Systems, or ISS, said three of the flaws can give an attacker remote control of Cisco's routing and gateway hardware, essentially allowing an intruder to run malicious code on the hardware. The most serious of the three would affect nearly every configuration of a Cisco router, he said. "That's the one that really scares me," Lynn said, noting that the bug he revealed in July only affected routers configured in certain ways or with certain features. The new one, he said, "is in a piece of code that is so critical to the system that just about every configuration will have it. It's more part of the core code and less of a feature set," Lynn said.

Like the earlier bug, the more serious of the new bugs is in Cisco's Internet Operating System, or IOS, said Lynn. Another dozen unpublished vulnerabilities can allow someone to conduct a denial-of-service attack against the router, crashing it over the internet, he said.

Lynn, who now works for Cisco competitor Juniper Networks, told Wired News that ISS has known about additional flaws in the Cisco software for months but hasn't told Cisco about them. This is serious, Lynn said, because attackers may already be developing exploits for the vulnerabilities. Cisco's source code was reportedly stolen in 2004 and, while doing research on the IOS software, Lynn found information on a Chinese-language website that indicated to him that Chinese attackers were aware of the security flaws in IOS and could be exploiting them.

RELATED TOPICS : CiscoGate Landing page , IOS makes it to SANS Top-20 , IOS exploit tools

CATEGORIES : 1ciscogate, 1threats, 1vulnerabilities, 1ios

Security Wrap-up : November

Here is the "wrap-up" for November 2005 security stories as reported in the Security Wrap monthly e-mail digest.

1. TOP STORIES FOR NOVEMBER 2005

These were the most read (popular) posts for the month of November 2005

IOS makes it to SANS Top-20
IOS Exploit and auditing tools
Cisco IOS (CiscoGate) Landing Page
Norwich Union locks down removable media
Outsourcing leads to bad security - Chapter 5
Cartoon : Botnets
Security key to convergence
Infosec market will never mature
Security set back by six years
Top security mistakes to avoid

SEE ALSO : Top stories for October 2005, Top stories for September 2005

2. NAME, SHAME, VICTIMS & DISCLOSURES

Investors exposed in Scottrade brokerage hack
Boeing exposes 161,000 identities
Sony security blunder
Hackers empty brokerage accounts
Pizza chains' half-baked security

3. COMPLIANCE, LAW & LEGAL

Unsecured WiFi to be outlawed?
Sonygate : The lawsuits abound
Compliance undermines security
Compliance takes top spot in Infosec drivers
Regulators force banks to 2-factor authentication
UK DoS attacks are not illegal
Microsoft chiefs call for national privacy law
BotNet mastermind charged
Security takes back seat to compliance
SEM comes of age

4. MARKET SPEND & SIZING

Cybercrime earnings bigger than drug trafficking
Security still top spending priority
Robust EMEA information security market

5. RESEARCH & SURVEYS

High cost to data breaches
Employee email habist are a risk to business
Privacy of personal info is top concern
Sloppy handheld habits threaten security
EU doubts VOIP Security
CIO's fear IP Network Security
Security in China shows huge cracks
ITFacts Security roundup
Security OpSec tops outsourcing trend
InfoSecurity key to convergence
Laptops pose massive security risk
BotNets increase 140%

6. CASE STUDIES

Chevron ditches passwords
Norwich Union locks down removable media
Security reduces PC longevity at Bank of N.Y

7. ADVICE, PAPERS & BEST PRACTICES

Outsourcing & bad security - False Sense of Security
Outsourcing & bad security - Knee Jerk Reactions
Outsourcing & bad security - The Rude Awakening
The new economics of InfoSec
Top security mistakes managers make
InfoSec market will never mature
Insecurity of removable media

8. THREATS, TRENDS & CRYSTAL BALL GAZING

Hackers to target copiers next?
First trojan using Sony DRM spotted
Oracles' first worm spotted
Australia Zombie crackdown
Industry group plans secure VOIP
Cisco IOS : Next big concern

9. VENDOR

Juniper buys Funk for NAC
Bluecoat removes encryption blindspot
McAfee endpoint security solution launched

10. OTHER

Sonygate : Artists bay for blood

CATEGORIES: 1wrapup

Top stories for November 2005

These were the most read (popular) posts for the month of November 2005

1. IOS makes it to SANS Top-20
2. IOS Exploit and auditing tools
3. Cisco IOS (CiscoGate) Landing Page
4. Norwich Union locks down removable media
5. Outsourcing leads to bad security - Chapter 5
6. Cartoon : Botnets
7. Security key to convergence
8. Infosec market will never mature
9. Security set back by six years
10. Top security mistakes to avoid

SEE ALSO : Top stories for October 2005, Top stories for September 2005

CATEGORIES: 1top posts

Security Appliance top $1Bn in 3Q05

Worldwide revenues from the sale of network security appliances and software reached $1 billion last quarter, according to a new study from Infonetics Research. Though this represents 1% growth over the previous quarter, network appliance and software revenues are growing at a healthy rate. Infonetics forecasts a 21% overall revenue increase over the next year, with annual revenues from network security product sales to reach $6 billion by 2008

Highlights

1. Cisco leads the overall network security appliances and software market with 35% of total revenue, Check Point is second with 10%, Juniper is third with 8%
2. VPN and firewall appliances and software make up 77% of revenue, IDS/IPS 14%, and gateway anti-virus 9%;
3. by 2008, IDS/IPS will make up 15%, gateway anti-virus 12%

“There is a lot of talk in the security market about ‘network access control,’” said Jeff Wilson, principal analyst at Infonetics Research. “NAC is really the holy grail of network security, and is no simple feat, as it will impact all types of products, from client software, to security appliances, to network infrastructure, to the back-end. NAC implementations will drive purchases of network integrated security products, SSL VPN products, and an emerging category of NAC controller appliances, all of which we will track closely with this service moving forward.”

CATEGORIES : 1market stats, 1revenues, 1spend, 1market share, 1appliances, 1research

Network security in shaky state

Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with.

The third annual Strategic Deployment Survey conducted by Secure Enterprise, an InformationWeek sister publication, polled more than 1,500 IT-security pros about their companies' security and their tactics for dealing with challenges. Follow-up interviews provided even more details on the state of IT security.

The survey shows IT security staffing almost unchanged from last year--and, in a word, deficient. Forty-four percent of this year's respondents describe their security groups as moderately understaffed, with 21% saying they're severely understaffed. Linked to frustration about understaffing is concern that not enough IT dollars are earmarked for security. And sometimes, IT-security managers say, that translates directly to greater organizational vulnerability.

Several diverse factors influence how security managers spend the money they have based on a diverse set of drivers. The top drivers in this year's survey were improved business practices, auditing regulations, industry standards, security breaches from external sources, legislative regulations and protection of brand or corporate image. Other organizations are building an overall "culture of security." Even when a dedicated security staff exists, the job often involves educating IT and non-IT staff about security risks and needs.

Survey results also show a growing commitment to put higher-level people in charge of security. Last year, only 12% of survey respondents reported that their organizations had a chief security officer. This year, that number rose to 18%. Similarly, only 12% of last year's respondents said they had a chief information security officer; this year, that figure climbed to 22%.

Full survey results can be downloaded here .

CATEGORIES: 1survey, 1staffing, 1budgets, 1compliance, 1drivers

Database vendors lack security

According to this article, customers are driven to 3rd-party security solutions as major database vendors don't yet meet user needs.

Analysts comment that databases are not hardened and they are still on the low end of the spectrum in terms of security. Even though their licenses cost tens of thousands of dollars, big commercial databases aren't meeting user demand for increased data security and privacy.

"While database vendors are beefing up security in their products, companies should look to third-party vendors to supplement additional requirements that are not yet met by DBMS vendors, such as database firewalls, assessment, simplified encryption and granular auditing solutions," Forrester Research Inc. analyst Noel Yuhanna wrote in a Nov. 29 report.

Vendors of database security tools include Lumigent Technologies Inc., IPLocks Inc., Guardium Inc. and Protegrity Corp.

CATEGORIES : 1database, 1encryption, 1data at rest, 1trends

The Internet Sopranos

Very interesting article on organised crime and the structures and criminal business models that are forming around cybercrime in particular. The article opens with the line "Welcome to the age of the Internet gangster. Gone are the days when young computer nerds sat alone in their rooms figuring out how to break in to their schools' computer systems to change grades. Also fading into nostalgia are the times when hackers teamed up with small-time hoods to pull off credit-card scams that victimized local banks. "

Recommended read.

CATEGORIES : 1cybercrime, 1article, 1legal

GreenBorder Survey results

In a recent GreenBorder survey, IT managers from more than 70 mid-tier customers identified data protection and privacy their top priority for Internet security. However, they report having to dedicate a significant percentage of their resources to cleaning up and patching infected systems in spite of near-universal (97 percent) deployment of conventional defenses such as anti-virus and network firewalls and widespread (75 percent) restrictions on use of Internet content. User behavior and mobile systems were identified as the culprits that most often lead to malware penetrating the enterprise.

This is a worthwhile read.

CATEGORIES : 1survey, 1users, 1trends

Retailer charged for bad security

Shoe retailer DSW Inc. agreed to beef up its computer security to settle U.S. charges that it did not adequately protect customers' credit cards and checking accounts, the Federal Trade Commission said on Thursday.

DSW said this spring that identity thieves had gained access to debit card, credit card and checking account information of more than 1.4 million customers, one of a string of such security breaches announced by U.S. companies this year.

The FTC said the company engaged in an unfair business practice because it created unnecessary risks by storing customer information in an unencrypted manner without adequate protection. As part of the settlement, DSW set up a comprehensive data-security program and will undergo audits every two years for the next 20 years.

CATEGORIES: 1hack, 1id theft, 1encryption, 1legal, 1costs

Infosec takes business approach

Increasingly, corporate security goals aren't about information security but about information assurance, which deals with issues like data availability and integrity.

Regulatory compliance issues and concern over data compromises have brought information security issues to the forefront in corporate boardrooms, according to a panel of I.T. security managers at the Computer Security Institute.

That trend is forcing security managers to adopt a more business-oriented approach to creating security strategies. Selling management on the need for information security has become easier for I.T. managers because of privacy threats, data piracy and other issues, said Terri Curran, director of information security at Framingham, Mass.-based Bose Corp. "In a sense, the road has been paved more for us. Management knows they've got to have security."

Looking ahead, the team predicted that CISOs will have two distinct career paths: a technology-focused position that reports to the CIO, and a business-focused role that works with chief risk officers.

CATEGORIES: 1risk management, 1panel, 1trends, 1rosi, 1compliance