Cyber Security Institute
Saturday, June 20, 2009
1 In 5 Companies Cutting IT Security Spending, Our Survey Finds
Budget woes, increased regulation, and new challenges for sensitive data are on the menu for risk managers. Cutting IT security spending, unthinkable a couple of years ago, is officially on the table. Just a year ago, even with a recession taking hold, only 6% of companies planned to trim security. This year, 19% are cutting, our Strategic Security Survey finds, while only 27% are increasing spending on IT security, down from 40% who were a year ago. At the same time, CEOs desperate to make their quarterly numbers may enter new businesses or find ways to trim expenses with less concern for the impact on data security. If you thought you had a handle on your organization’s appetite for risk, chances are the economy has changed the dinner portions.
Thursday, May 07, 2009
Heartland breach cost $12.6 million, CEO says
Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. The company said it took a $2.5 million loss for the quarter as a result of spending more than $12.6 million in legal bills, fines from MasterCard and Visa and administrative costs.
Startup Takes New Spin On Online Fraud Detection
A security startup is preparing to emerge from stealth mode with a new technology that detects in real-time whether an online user or member of a social network is legitimate—and not a bot, automated tool, or criminal performing financial or other online fraud. Pramana, which will officially launch in July, has developed what it calls HumanPresent, a technology spun off from research at Georgia Tech that catches online fraud in action, real-time, using a dynamic method of identifying human behavior anomalies while at the same time preventing the fraudsters from detecting that they’re being watched.
Expert Names Top 10 Audit Issues of 2009
As IT environments become more complex, enterprises rely on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, speaking at the ISACA CACS audit and compliance conference. Top challenges include cloud computing, virtualization, and a company’s own employees. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors,” he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds.
Wednesday, May 06, 2009
The New Face of Cybercrime Revealed
If one thing is clear from Verizon’s recently published 2009 Data Breach Investigations Report it is that cyber crime has taken on a frightening level of maturity. This is the second year that Verizon has published data from the breach investigation work they perform for their clients. While these [other[ reports do drive home the expense, loss of reputation, and compliance requirements associated with good data protection they do not shed the same light on methodologies that Verizon does.
Friday, May 01, 2009
Experts Chart Spike in Cyber Sieges
Cyber attacks with enough firepower to knock entire countries off the Internet have spiked in recent months, raising fresh concerns within the security community about weaknesses in the Internet infrastructure that help create such weapons of mass disruption. These “distributed denial of service” or DDoS attacks use robot networks or “botnets”—many hundreds or thousands of compromised PCs—to flood targets with so much junk traffic that they can no longer accommodate legitimate visitors. While DDoS attacks have been a common threat since the dawn of the commercial Internet, DDoS watchers, such as Arbor Networks, have tracked a recent spike in the number, sophistication and size of attacks against major Internet providers. Attackers also appear to be picking bigger targets.
Friday, March 27, 2009
New Rootkit Attack Hard To Kill
Researchers have come up with a way to create an even stealthier rootkit that survives reboots and evades antivirus software. Anibal Sacco and Alfredo Ortega, both exploit writers for Core Security Technologies, were able to inject a rootkit into commercial BIOS firmware using their own Python-based tool that installed the rootkit via an update, or flash, process.
Thursday, March 12, 2009
Worldwide Cybercrime Police Network Grows (PC World)
More countries are joining a network designed to quickly react to cybercrime incidents around the world, a senior U.S. Federal Bureau of Investigation official said Wednesday. Fifty-six nations are now part of the 24/7 Network, which means a country has a computer security official available at all times to help meet requests for data or preservation of data from another nation, said Christopher Painter, deputy assistant director of the FBI’s cyberdivision.
Better metrics needed for security, says expert
The security industry has done a poor job of finding ways for companies to measure their security, but that does not mean that collecting data is not valuable, the former head of the U.S. Department of Homeland Security’s cyber group told attendees at the SOURCE Boston conference on Thursday.
Securely booting from strangest of places
Could FOSE 2009 be remembered as the year of the bootable portable drive?
On the show floor, a number of vendors are displaying either USB drives, enclosed hard drives or other portable media from which an entire operating system and associated application can booted.
Tuesday, March 10, 2009
Massachusetts Data Protection Law Date Extended: What Your Business Needs to Know
For the second time in four months, the Commonwealth of Massachusetts has pushed back the implementation of its new data protection law - one of the toughest in the nation. Yet even with the new deadline of January 2010, many of the businesses impacted by these stringent data protection requirements won’t be compliant, say industry experts familiar with the new regulation. The regulation is described by many as the nation’s most cumbersome data security regulation. It will require all entities that license, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program—even if the business or entity does not have offices in the state.
Cyberattack mapping could yield blueprint for cyber defense
Cyberwarfare has long since moved beyond the imaginations of Hollywood producers and science fiction aficionados. Countries, corporate entities, rogue states and motivated hackers are all online and actively testing the defenses of networks. Understanding how automated cyberwarfare works and how to defend against coordinated cyberattacks has become critical to the national defense interest. Researchers at Sandia National Laboratories have been mapping out attacks against large-scale computer networks to develop massive cyberattack simulations. Their work could impact the cybersecurity industry by enhancing security defense mechanisms.
Monday, March 09, 2009
NIST suggests areas for further security metrics research
The National Institute of Standards and Technology (NIST) doesn’t have the answer for this, but scientists in its Computer Security Division have identified some areas for further research they hope might yield results.
Friday, February 27, 2009
Japan Cybercrime Grows by 15.5 Percent
Internet security software provider Finjan (http://www.finjan.com) announced on Friday that it has just published the 2008 cybercrime figures from Japan which reveals a 15.5 percent year-on-year annual growth.” Anecdotal evidence suggests that the volume and value of cybercrime has soared again in 2008 and, with the current economic recession, we fully expect the number of Internet scams, hacks and malware-driven infections to increase even faster in 2009,” says Ben-Itzhak, Finjan Chief Technology Officer.
PCI council offering “milestones” for compliance
The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint. The Prioritized Approach Tool offers six “milestones” that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines.
Friday, February 20, 2009
Google’s Best practices against hacking
These days, the majority of websites are built around applications to provide good services to their users. In particular, are widely used to create, edit and administrate content. Due to the interactive nature of these systems, where the input of users is fundamental, it’s important to think about security in order to avoid exploits by malicious third parties and to ensure the best user experience.
Storm Lingers Over Cloud Movement
Everyone is talking about the race toward cloud-based computing, but apparently, most organizations aren’t rushing to embrace the emerging Web-based infrastructure as quickly as they might - based at least in part on concerns over security. A new study into cloud computing adoption trends published by enterprise IT consultants Avanade and conducted by pollsters at Kelton Research finds that security remains a significant question in the minds of many C-level executives and IT managers.
Thursday, February 19, 2009
Gartner: Don’t assume SaaS is cheaper
The analyst firm said that there has been a “great deal of hype” around SaaS and that businesses had misconceptions about its cost. SaaS is cheaper during its first two years of use, Gartner said, but the total cost of ownership over five years would be lower for on-premises software. In its report “Fact-Checking: The Five Most-Common SaaS Assumptions,” Gartner also warned that SaaS was not necessarily faster to implement.
Wednesday, February 18, 2009
Clear Guide on How to Benefit from ISO27001 in a Windows® Environment Now Available
Independent compliance expert IT Governance has today announced the publication of Implementing ISO27001 in a Windows® Environment’ (http://www.itgovernance.co.uk/products/2207), a step-by-step guide on implementing this major security standard, written with the aim of helping project managers, IT and security staff develop a shared understanding of what controls are appropriate to mitigate identified risks - and how, within the Windows® environment, to apply them.
SenSage Named Leader in Japanese Market for SIEM and Log Management
Enterprise software leader SenSage, Inc. has earned the top spot in market share for security log management software in Japan, according to a report by Japanese market analysis firm ITR Corporation. The study of nearly 30 vendors that compete in the security log management market in Japan shows SenSage with a dominant market share of 30.4 percent, nearly twice that of the nearest competitor. ITR cited SenSage’s network of distribution and reseller partners and overall product quality as key differentiators in the marketplace.
Tuesday, February 17, 2009
Number of reported cyber incidents jumps
Federal civilian agencies reported three times as many cyber-related incidents in fiscal 2008 as they did in fiscal 2006 to the Homeland Security Department’s office that coordinates defenses and responses to cyberattacks. The agencies reported to DHS’ United States Computer Emergency Readiness Team (US-CERT) a total of 18,050 incidents in fiscal 2008, compared with 12,986 in fiscal 2007 and 5,144 in fiscal 2006, according to DHS officials. Overall, the total number of incidents reported to US-CERT from commercial, foreign, private, and federal, state and local government sectors rose from 24,097 in fiscal 2006 to 72,065 in fiscal 2008.
Number of reported cyber incidents jumps
Federal civilian agencies reported three times as many cyber-related incidents in fiscal 2008 as they did in fiscal 2006 to the Homeland Security Department’s office that coordinates defenses and responses to cyberattacks. The agencies reported to DHS’ United States Computer Emergency Readiness Team (US-CERT) a total of 18,050 incidents in fiscal 2008, compared with 12,986 in fiscal 2007 and 5,144 in fiscal 2006, according to DHS officials. Overall, the total number of incidents reported to US-CERT from commercial, foreign, private, and federal, state and local government sectors rose from 24,097 in fiscal 2006 to 72,065 in fiscal 2008.
Thursday, February 05, 2009
Tenable Releases Database Auditing Capability
Tenable Network Security, Inc., the leader in Unified Security Monitoring and creator of the popular and award-winning Nessus(R) vulnerability scanner, today announces a new capability for Nessus users to audit the configuration of many different SQL databases. These checks are only available to Security Center users and ProfessionalFeed subscribers.
Sunbelt Pioneers New Anti-Virus Technology
US company Sunbelt Software is set to become one of the first anti-virus vendors to embrace a promising but as yet little-used new technique for malware detection known as ‘file emulation’. Released this week to UK users after a US launch some time ago, the company’s Vipre Enterprise anti-malware client is on the face of it just another program jostling for attention with the admin-friendly claim that it can protect PCs from malware without slaughtering performance. Known in company jargon as ‘MX-Virtualization’ (MX-V), Vipre effectively creates an emulated Windows PC in a sandbagged area of memory, mimicking API functions such as the Windows registry, file system, and communications interfaces to see what a file is trying to do.
Playing cricket, 3 miles up
The National Hockey League accomplishes something really special whenever it stages an outdoor hockey game in temperatures so frigid they would emasculate a simian forged from zinc and copper. Yet as impressive as that may be, there is a cricket team in England that is about to do them one better. The lads are going to play a cricket match on Mount Everest.
Monday, February 02, 2009
S’pore data protection enforcement needs bite
As it puts together its data protection framework, Singapore can learn from economies such as Hong Kong, such as appointing an official or agency for enforcement, according to a Singapore-based consultant. Last month, Minister for Information, Communication and the Arts Lee Boon Yang said in Parliament that the work of an inter-ministry committee formed to review Singapore’s data protection regime, is still ongoing. “We’re currently looking into developing a data protection model that can best address Singapore’s privacy concerns, commercial requirements and national interest,” he said. As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time.”
Saturday, January 31, 2009
Archer Technologies Acquires Brabeion Software
Archer Technologies, a provider of enterprise governance, risk and compliance (GRC) solutions, today announced that it has reached a definitive agreement to acquire Brabeion Software Corporation, a market-proven provider of IT-GRC management software. The acquisition solidifies Archer’s acknowledged IT-GRC industry leadership and will strengthen the company’s ability to deliver outstanding enterprise GRC solutions. With the acquisition, Archer will leverage Brabeion’s industry-leading content library to further enhance its best-in-class Policy Management solution.
Friday, January 30, 2009
During Layoffs, Superior ID Management Is an Imperative
More than 125,000 people have lost their jobs in the last month alone, and not all will have the best of intentions toward their former employers. Companies reducing their work forces must lock down user accounts, and solution providers can assist with identity management solutions. Under pressure from sagging earnings, the premium coffeehouse earlier this week announced that it would close 300 stores and lay off more than 7,000 workers. Microsoft, Boeing, AstraZeneca, Sprint and Home Depot are among the household-name companies to slash thousands of jobs this week alone. Regardless of industry or size, all companies reducing their work forces share something in common—-all of their employees have some level of access to networks or applications.
Thursday, January 29, 2009
McAfee highlights perils of offshoring sensitive data
Global companies may have lost over $1tn (£696bn) worth of intellectual property last year owing to data theft, according to new research from McAfee presented today at the World Economic Forum in Davos. Respondents to the study indicated that they lost a combined $4.6bn (£3.2bn) worth of intellectual property last year, and spent around $600m (£418m) repairing damage from data breaches.
Tuesday, January 20, 2009
Data breach study ties fraud losses to Hannaford, TJX breaches
A recent data breach study commissioned by the state of Maine sheds light on the losses banks experienced as a result of the data breaches at TJX and Hannaford Brother’s supermarkets. The state’s banks said they incurred $2.1 million in expenses related to data breaches since January 1, 2007. The Hannaford breach had the largest impact, affecting 71 financial institutions and incurring $1.6 million in expenses according to the Maine Data Breach Study. Adam Shostack, blogger and author of The New School of Information Security, said the expenses turn out to be about $450 for each breached account, which is inline with the estimated figures on for sales of pilfered account data on the black market.