Cyber Security Institute

Saturday, April 29, 2006

A Few Good Metrics

Information security metrics don’t have to rely on heavy-duty math to be effective, but they also don’t have to be dumbed down to red, yellow, green.  This article from CSO presents five smart measurements—-and effective ways to present them.  Metrics have a bad rep. Mention metrics to a CISO and immediately his thoughts may well turn to sigmas, standard deviations and, probably, probability.  There’s no denying that proven economic principles can—-and should—-be applied to information security investments.  They’re sitting in your log files, on your network, in the brains of your business unit managers, just waiting to be harvested.  The aritcle discusses five such metrics, along with some ways to present them visually, as imagined by Andrew Jaquith.  At @stake he invented a popular analytic methodology that is used to evaluate a client’s risk in its application portfolio.  More recently he started, a website open to all security professionals for sharing, contributing and advancing the use of metrics in information security.


Friday, April 28, 2006

NIST releases standards for security logs

The National Institute of Standards and Technology released technical guidelines on how federal agencies should manage security logs.  The guidelines, NIST Special Publication 800-92: Guide to Computer Security Log Management, include suggestions for creating a log management policy, prioritizing log files and creating a centralized log management infrastructure to include all hardware, software, networks and media.


Thursday, April 27, 2006

Business users now buy Linux on security and reliability, not just cost, says Novell boss

Novell president and chief operating officer Ron Hovsepian sees the acquisition of the JBoss application server by Red Hat as having “further validated our early adoption of JBoss.”  Novell still has a satisfactory contract in place with JBoss in its new guise, despite its favouring of the Suse distribution of Linux.  The company claims to have a consistent code base from mainframe servers through to mid-range servers and down to the desktop.  Business users’ decision-making criteria on Linux have shifted from cost to reliability, scalability and security, says Hovsepian.


Security data swamps firms

Security systems such as firewalls and antivirus software are producing more data than some firms can cope with, according to new research released today by infrastructure management specialist Micromuse.  Nearly a third of IT managers questioned across Europe said they generate more security data than they can properly examine for potential threats, and 45 percent said they experienced more than 4,000 security “events” a second.


Despite Stricter Rules in Europe, US Companies More Advanced in Protecting Data

A new study comparing European and US corporate privacy practices reveals that while European companies impose tighter restrictions on the sharing of sensitive personal data, US companies currently have more sophisticated systems in place to prevent breaches.  The study, sponsored by global law firm White & Case as part of its annual Global Privacy Symposium, held Thursday, April 27 in New York, was conducted by the independent privacy think tank Ponemon Institute.  The survey questions were reviewed by two European data protection authorities, The Information Commissioner’s Office of the UK and The Commission Nationale de l’Informatique et des Libertes (CNIL) in France.  “European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees’ sensitive personal information and are also more likely to provide employees with choice or consent on how information is used or shared,” said David Bender, head of White & Case’s Global Privacy practice.  “But the research also revealed that US companies are engaging in more security and control-oriented compliance activities than their European counterparts.  Bender adds that ongoing concern about compliance with government rules is the lead driver for both US and European companies’ privacy practices.  But 50 percent of European and 24 percent of US privacy leaders now believe that strong privacy policies also are an important part of protecting or enhancing their company’s brand or image in the marketplace.


The evolution of spyware is outpacing that of viruses, with some software resetting itself hourly to

The evolution of spyware is outpacing that of viruses, with some software resetting itself hourly to evade detection, security experts warned today at Infosec Europe.  Security firm Webroot recorded a dramatic rise in spyware in the past 12 months, almost all of it aimed at harvesting financial data that could be used by third parties.  “Voice is definitely the next attack vector.  But this time the malware writers won’t use it for financial gain but for stealing intellectual property, ” said Gerhard Eschelbeck, chief technology officer at Webroot and founder of vulnerability testing firm Qualys.  Eschelbeck added that his company had seen a 40 per cent rise in the amount of spyware in circulation over the past three months.


Wednesday, April 26, 2006

British business improves on security

A government-backed report into information security incidents in British business has revealed that the average number of companies reporting such incidents has fallen since 2004.  This may indicate that the business community is starting to win its war against malicious attacks in a world where information technology has become firmly embedded into the business environment.  A more responsible approach has also led to better updating practices with 80% of businesses updating antivirus signatures within a day, in comparison with 59% in 2004.  While the number of companies updating their antivirus software within a day of release of new signatures is relatively high at 80%, only 64% of businesses update their operating systems in the same timeframe.  This is demonstrated by the fact that while 88% of companies overall had no formally trained staff responsible for information security, this number dropped to 71% for large businesses.


IT security checklist focuses on consequences of breaches

A small office of the Homeland Security Department has released a draft cybersecurity checklist intended to help enterprises focus on the real-world consequences of security breaches.  The U.S. Cyber Consequences Unit was created by DHS to provide analysis of economic and strategic consequences of cyberattacks on critical infrastructure and to evaluate the cost-effectiveness of countermeasures. As part of this work, director and chief economist Scott Borg and research director John Baumgarner began on-site visits to evaluate systems in critical industry sectors.  The new USCCU list shifts the focus from perimeter security to monitoring and maintaining internal systems. The problem with perimeter security is that there is always some way to circumvent it, Borg said.  The checklist contains 478 questions grouped into six categories: hardware, software, networks, automation, humans and suppliers.



Phishing goes international

The number of phishing attacks targeting non-English speaking financial institutions is on the rise.  Attacks targeting countries outside the English-speaking world now represents almost 40 per cent of worldwide phishing targets, according to data processed by RSA Security’s Anti-Fraud Command Centre.


Tuesday, April 25, 2006

Novell Shells Out $72 Million to Buy e-Security

Commercial Linux distributor Novell last week continued to build out the security features of its SUSE Linux by acquiring e-Security, a provider of automated compliance and reporting software, for $72 million.  e-Security, which is based in Vienna, Virginia, was founded in 1999 and its Sentinel security event manager software is used by 150 companies, many of them very large organizations who have had their IT operations turned upside down by various government compliance regulations in the past year.  The Sentinel software collects, aggregates, correlates, and displays event information as it relates to users, resources, and applications.  Sentinel 5 comes with a whole slew of what are called “collectors,” which is just another way to say monitoring agents.  Collectors are created for the device, application, and network levels.


How To Stop Internet Identity Theft

Despite the increasing awareness of identity theft among consumers and financial institutions, the identity-theft racket shows no signs of slowing.  Reported losses from identity theft, currently responsible for over 40 percent of all fraud complaints, approached nearly $300 million last year.  “True identity theft is a problem that goes far beyond simple credit-card fraud, against which consumers are fully protected, thanks to zero-liability laws and other regulations,” said Dave Collett, a spokesperson for MasterCard.  All too often, consumers provide that needed information unknowingly through careless Web surfing and by using computers whose security is breached by virus and spyware infections.


Monday, April 24, 2006

RSA snaps up authentication software maker

RSA Security has acquired authentication software maker PassMark Security in a $44.7 million cash and stock deal.  The acquisition is designed to bolster RSA’s presence in the financial services arena and build on its recent acquisition of Cyota, the company announced Sunday.



Thursday, April 20, 2006

UK Security Professionals Think: We’re winning the war against hackers

Despite the apparent growth in security incidents and hacker attacks over recent years, a clear majority (72 per cent) of UK security professionals feel their organisation is more secure than it was 12 months ago.  Organisations are no longer on the back foot in the fight against security threats, with only 11 per cent of respondents in a survey of 100 chief security officers (CSOs) and IT directors saying they take a ‘reactive only’ approach to security.  The majority of respondents have extensive IT security training in place, such as acceptable usage policies (92 per cent), email usage policies (85 per cent), password policies (81 per cent), and training in the need for backups (59 per cent).


IT security - UK companies’ biggest concern

UK companies are spending an increasing amount of time and money protecting themselves from IT security threats despite claims from some sectors of the technology industry that the war against hackers and virus writers is being won.  This is one of five key conclusions drawn by Butler Group, based on its analysis of results from the Q1 2006 “UK IT Priorities Survey,” undertaken by ZDNet UK, the UK’s leading technology website and a property of CNET Networks UK.  While the survey found that companies are prioritizing investments in anti-virus, anti-spyware and network security, it also clearly indicates that other important areas of risk, such as identity and access management, are largely being over-looked.  Other top priorities are application development, networking and communications, server hardware and desktop software.


Better security wanted for confidential data

A research report by IT analysts Enterprise Strategy Group (ESG) has revealed that data protection practices in businesses need improving.  In this light the overall tendency for businesses to increase their IT and security budgets looks positive.  However, less than a quarter of respondents (23%) believed that current security technologies available to them can fully enforce the required security policies.  Overall, a quarter of respondents believe that their business was “vulnerable” or “very vulnerable” to a data breach from different attack vectors.  The same percentage of people also claimed that security policies and procedures in their organisation were “fair” at most, meaning that a lot of confidential data remained unprotected.


N.Y. County (Wincehster) Enacts Wireless Security Law

Westchester County on Thursday enacted a law that is designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers’ credit card numbers or other financial information.  The law also requires that businesses offering Internet access—coffeehouses and hotels, for example—post signs warning that users should have firewalls or other security measures.  The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted.


E-mail authentication gaining

A host of software companies, security firms and Internet service providers met in Chicago to urge corporations and bulk message senders to adopt e-mail authentication technologies.  The technologies, known as Sender ID and DomainKeys, aim to allow e-mail recipients to positively identify the sender of an e-mail message and hold the promise of giving service providers the tools they need to effectively end spam and phishing attacks.  Yahoo!, the creator of DomainKeys, receives about a billion messages a day signed with the technology though Yahoo!  Meanwhile, more than 2.4 million domains are publishing the additional domain information required for Sender ID, up from 20,000 two years ago, according to Microsoft, which has spearheaded the Sender ID initiative.  In total, more than 35 percent of e-mail is authenticated in some way and 21 percent of Fortune 500 companies publish Sender ID records, according to Microsoft.


More Internet Threats Expected This Year

According to Trend Micro’s report, called Virus and Spam Roundup 2005 and Predictions for 2006, this year will see more spy phishing and spear phishing on the Internet.  Another prediction for this year is the rise of bots with increased functionality through rootkits and vulnerability exploits, says Trend Micro’s senior technical consultant Chong Yu Nam.  Last year, zombie networks contributed to more than 33 percent of all spam resources, and 65 percent of the top 15 threats included some form of spyware, adware, backdoor, rootkit, and bot systems.


Wednesday, April 19, 2006

Hackers and regulators force security crackdown

A survey of companies in eight European countries and the US by Forrester Consulting found that there are big budgets for identity management and access control projects.  One third of organisations surveyed said they plan to have strong authentication or two-factor authentication capabilities within 12 months.  More than a third of respondents (38 per cent) said they had budgets of Euros 250,000 and 12 per cent of budgets were in excess of Euros 1M.


Telecommuting security concerns grow

IT managers say key concern is ensuring telecommuters’ PCs keep pace with corporate security guidelines.  Telecommuting has become a way of life as more companies let employees work from home to do jobs that might otherwise be done on corporate premises.  Last year an estimated 8.9 million telecommuters worked from home three or more days each month during regular business hours, according to IDC.  At places where home-based work has become the norm, IT managers say a key concern is ensuring each telecommuter’s PC - typically granted remote access to a corporate LAN - keeps pace with office security guidelines.  According to IDC, healthcare is the industry in which telecommuting is most common, followed by the science and technical services arena, and manufacturing.  The financial-services industry is stepping gingerly into telecommuting, with IT managers aware that government regulators and auditors will want to know about security controls on home-based computers.


Tuesday, April 18, 2006

Rootkits on the rise

McAfee Labs say that the number of rootkits used by malicious attackers to hide various software grew 700 percent in the first quarter, compared to the same time last year.  Mcafee found 827 different rootkits in the first four months, which is even more than it found for whole last year. 


Software insecurity: Plenty of blame to go around

A free-wheeling debate on software security at the 2006 International Conference on Network Security in Reston today came to no clear consensus on responsibility for the disappointing quality of software.  On the other hand, it was agreed that federal security certification programs could serve as models for improving private sector IT security.  One audience member criticized the security and development communities for focusing on clever tricks for solving problems and deplored the lack of due diligence by organizations in designing networks and deploying software.  Stuart Katzke of the National Institute of Standards and Technology said that standards and guidelines developed by NIST could help provide that methodology.  He said the suite of documents produced for the Federal Information Security Management Act effectively establish a level of due diligence for government IT systems.


It takes too long to patch

The last few months have seen a number of companies being criticised for taking too long to release patches for critical vulnerabilities.  At the same time, response speed is becoming quicker, reducing the window of opportunity available to attackers.  The study shows that 19% of companies take more than a week to patch vulnerabilities, while 27% take at least two days.  Overall, nearly half of those questioned claimed their computer systems were never completely protected.  Another recent survey of consumer security showed that although 83% of users currently have an anti-virus product installed, 56% had not updated this software in the week before the survey was carried out.


Monday, April 17, 2006

Microsoft criticized for silent patches

Some security researchers took issue last week with little-documented changes made by Microsoft to Windows in the last batch of security updates, but the software giant responded in a blog posting on Saturday that sometimes less information means better security.  The advisory stated that the vulnerability being fixed was privately reported but that a “variation” of the flaw had been publicly disclosed in May 2004.  Microsoft should have stated that the original vulnerability—more than 700 days old—had been fixed as well as a more recent, privately disclosed flaw, vulnerability researcher Matthew Murphy stated in a blog post.


What’s the next security threat?

In January this year, 20-year-old Jeanson James Ancheta pleaded guilty in a California court to charges that he had broken into government computers and taken control of them for purposes of fraud.  He had planted Trojan software on the systems at the China Lake Naval Facility in California’s Mojave Desert, enabling him to manipulate computers on the network there.  He had then used the computers to generate hits on Web site advertisements, for which the advertisers paid according to the traffic they received.  The spyware or Trojan horses they plant on unsuspecting users’ machines do not draw attention to themselves, but once installed, they work as slaves to their remote masters.  Bot networks, which are armies of these hijacked computers, have become the predominant feature of the Internet threat landscape.


Thursday, April 13, 2006

Texas works on P2P policy

Fearing that state computer systems will be jeopardized, Texas state technology officials are planning to restrict the use of peer-to-peer file-sharing applications among agencies, departments, boards and commissions.  Rick Perry issued an executive order April 5 directing the state Department of Information Resources to devise a policy prohibiting the unauthorized or illegal use of such software programs and also permitting their use for government business and law enforcement purposes that won’t pose a risk to computer systems.  As opposed to a traditional client-server model, P2P networks are composed of nodes that serve as clients and servers to other nodes on the network.  Perry’s executive order states that “without adequate protections and procedures in place, the use of peer-to-peer file-sharing software can result in the presence of viruses and malicious programs on state information management system computers and networks, and consume network resources, resulting in the creation of inefficiencies in the performance of those systems.”


Wednesday, April 12, 2006

US security agency scrutinises secure storage device

The US National Security Agency (NSA) and Treasure Department have expressed interest in a secure storage device that hard drive manufacturer Seagate is developing.  Seagate spokesperson Michael Hall told that the company has met with the two US government agencies over its Momentus 5400 FDE technology.  It is expected to be launched in the second half of this year and Hall said that he was confident that the investigation would not delay the drive’s launch. 


Report: IM, P2P threats on the rise

According to the results of newly released research, threats targeting instant messaging (IM) and peer-to-peer (P2P) applications rose significantly in the first quarter of 2006 compared to the same period last year.  The company examined what it calls “greynets,” programs installed on a system without permission from IT departments that are adept at evading existing security tools.  Each individual incident report represents the detection of a security issue impacting one or more real-time communications channels on one day, FaceTime said.  With 453 incidents recorded in the period, the number of security incidents was 723% percent higher in Q1 2006 compared to the same period last year.  Multi-channel propagation was 23 times more common in Q1 2006 than the same period last year.



Tuesday, April 11, 2006

Man still the weakest link

Human error was responsible for nearly 60 percent of information security breaches last year, a new study has found.  “The primary cause of security breaches—human error—is not being adequately addressed,” Brian McCarthy, chief operating officer of CompTIA, said in a statement. “The person behind the PC continues to be the primary area where weaknesses are exposed.”  Despite the prominent role that human behavior plays in information security breaches, just 29 percent of the 574 organizations worldwide that participated in the survey said security training is a must for employees. Only 36 percent of organizations offer security awareness training, the study found.


Monday, April 10, 2006

FDIC - Delivery of Special Alerts - Electronic Distribution to Become Primary Method

Beginning June 1, 2006, the Federal Deposit Insurance Corporation (FDIC) will change its primary method of distributing Special Alerts (SAs) to insured financial institutions from paper-copy delivery through the U.S. Postal Service to electronic delivery through the FDIC’s free secure Web site, FDICconnect.