Cyber Security Institute

Thursday, June 29, 2006

Data Security Displacing Malware as #1 Concern Worldwide


SAS 70

SAS 70, the auditing standard, is finding its way onto CSOs’ desks.  Used correctly, it’s a nice start on verifying business partners’ security controls.  Unfortunately, some people aren’t using it correctly.  The SAS 70 audit—-an increasingly popular examination of internal corporate controls—-is the source of confusion and debate in the information security world.  There are those who swear by it.  Jennifer Bayuk, managing director of IT security at Bear, Stearns & Co., calls a SAS 70 audit “probably the best you can get for a security test, especially when you compare it to something like a security penetration study.”  Then there are those who swear about it.  This article equips CSOs with an understanding of how to be helped, not hindered, by the rise of SAS 70.


EMC Acquires RSA

The acquisitive storage giant announced late Thursday that it will acquire RSA Security for about $2.1 billion, just hours after news broke that EMC and at least one other bidder were in negotiations to buy RSA for at least $1.8 billion.  EMC said the acquisition adds identity and access management solutions and encryption and key management software to EMC’s information-centric security portfolio.  In a statement, EMC Chairman, President and CEO Joe Tucci said, “Information security is a top priority among executives around the world, and it has become an inseparable attribute of information management.  Businesses can’t secure what they don’t manage, and when it comes to securing information, that means simply two things—- managing the data and managing access to the data.”  Tucci said the acquisition “signals a fundamental change in the landscape of the security market.


Security needs vary for each industry vertical

IT managers cannot ignore secure content management (SCM), but needs vary greatly for each industry vertical, according a new report from research firm IDC.  The report says there are significant differences between verticals, such as defining business pain points, as well as the drivers and concerns for deploying this particular software.  IDC Australia security solutions market analyst, Patrik Bihammar said due to these vertical differences, vendors must have a good understanding of industry-specific trends, drivers, regulations, spending intentions and business processes in order to be successful in selling to various verticals.


Tuesday, June 27, 2006

The ABCs of New Security Leadership

September 11 profoundly changed the public perception of national security; the Enron accounting scandal and a rash of similar scams alerted us to widespread deficiencies in corporate governance, accountability and ethics.

IN: Metrics and ROSI
OUT: Blame games and fall guys
IN: Risk management and shared accountability
OUT: Tech talk and copspeak
IN: Business language and communication skills
OUT: Silos
IN: Holistic security


CA Introduces New ITIL Compliance Software Set

CA introduced a new set of software, services and training programs June 27 that aim to help its customers implement and automate yet another set of regulations, IT Infrastructure Library best practices.  CA’s Service Management Accelerator is designed to let IT organizations simplify standards compliance across these ITIL processes, a CA spokesperson said.  CA’s Service Management Accelerator lets customers unify people, processes and technology while automating all ITIL processes across both service support and service delivery, the spokesperson said.


Monday, June 26, 2006

SMBs Set to Spend US $11.4B on IT Security in 2006

Small and medium businesses (SMBs) worldwide are set to cross US $11.4 billion on beefing up their IT security and infrastructure this year in a bid to thwart increasing electronic threats.  This spending trend will increase at double digit rates annually over the next several years, according to the latest study by New York-based Access Markets International (AMI) Partners, Inc.  These results were based on surveys of SMBs conducted by AMI in over 20 countries representing key developed and emerging markets.


Endpoint Device Control, Don’t believe the Hype

In the wake of the increased focus on endpoint security, controlling the use of devices that can be attached to endpoints, especially memory devices like USB memory sticks, has become of paramount importance to companies.  While this is good elevation of awareness to a relatively new threat it should be pointed out that this threat does not exist in this format alone.  Dozens of new and existing vendors have appeared in this space touting their products as being the next ‘must have’ security product in a network.  Many of them offer granular control that allows specific devices to be used by specific individuals at specific times.  It is important for companies to understand the difference between hype generated by vendors and the reality of how a threat can enter and affect your network.  With so many vendors offering device control and protection against using memory devices, the wave of misinformation is influencing companies to make rash decisions into purchasing point solutions.


Sunday, June 25, 2006

Security in the balance

Until recently, banks have considered information security as a cost of doing business.  Nowadays, new market trends are driving the financial sector’s IT security investments.  For one, the constant barrage of security attacks banks have suffered has resulted in declining customer confidence.  That imposes a huge challenge on financial organisations that are looking to add more customers, especially in the area of online banking where most Middle East banks have increased their focus.  As the consumers’ level of awareness of data security and data confidentially increases, banks are starting to look at security from the perspective of their clients.  For instance, in the US, several major banks, such as Citigroup, have launched advertising campaigns heralding their recent investments in security, and makes these banks not only the better choice, but also the safer choice.


Friday, June 23, 2006

Financial Institutions Face Surge in External Security Attacks

The world’s largest financial institutions have faced a surge in the number of security attacks over the past year, particularly from external sources, according to the 2006 Global Security Survey released by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT).  More than three-quarters (78 percent, up from 26 percent in 2005) of respondents confirmed a security breach from outside the organization and almost half (49 percent, up from 35 percent in 2005) experienced at least one internal breach.  The fourth annual survey consisted of interviews with senior security officers from the world’s top 100 global financial institutions and acts as a global benchmark for the state of IT security in the financial sector.  The top three most common attacks over the past 12 months included ones intended to extort some form of monetary gain. Phishing and pharming were employed for more than half (51 percent) of external attacks, followed by spyware/malware (48 percent). Insider fraud (28 percent) and customer data leaks (18 percent) were cited by respondents among the top three most common internal breaches.


Decline in cybercrime claims rubbished

Businesses should not get carried away by the extremely positive findings of the latest 2006 Computer Crime and Security Survey, jointly produced by the Computer Security Institute, CSI, and the FBI, analyst firm Gartner claims.  For instance, average losses from cybercrime were down for the fifth year running, falling from $204,000 in 2005 to an average of $168,000 in 2006, according to CSI.  Since 2004, CSI claims, average losses from cybercrime to business have fallen by a massive 68%.  Gartner has been quick to warn business the situation may not be as rosy as the 2006 report claims.  One example given by Gartner is that of another recent survey by Deloitte, which contradicts CSI’s findings by claiming that over the same period security breaches at financial institutions have actually increased considerably.


CSI/FBI: Small Firms Pay Big For Security

That’s one of the findings in the 2006 Computer Security Institute/FBI annual security survey, which is scheduled for release on July 12.  According to the new data, companies with revenues of less than $10 million annually invest approximately $746 per employee per year on security, while companies that make $1 billion or more spend just $58 per employee.


Wednesday, June 21, 2006

Study: Most Technology Companies Have Data Losses

Over half of all companies doing business in the technology, media and telecommunications sectors have experienced data breaches that potentially exposed their intellectual property or customer information, a new research report shows.  According to the report, published by Deloitte Touche Tohmatsu, not only have many technology providers been hit with the same sorts of data losses that have recently plagued other industries, but a large number of the firms have also failed to make sufficient investments in security technologies aimed at preventing future incidents.  Deloitte researchers said that security has long been “neglected” by technology, media and telecommunications companies despite their dependence on digital information to run their businesses.  The consulting company surveyed executives at 150 such companies and found that even in the face of public embarrassment, financial losses and potential litigation linked to data breaches, many of the businesses have yet to make necessary investments to more adequately protect their information.


Tech Giants Form Consumer Privacy Rights Forum

The Legislative Forum makes it clear that the national standard it envisions would preempt state laws.  For that reason, “a robust framework is warranted,” it said.  Some privacy advocates worry that preemption of state laws might constitute an end-run around the more stringent—and to many companies, quite onerous—privacy protections that are already in place.  A group of high-tech companies including Intel, Microsoft, Oracle, eBay, Google, Sun Microsystems, HP and Symantec have formed the Consumer Privacy Legislative Forum with the goal of promoting the adoption of a nationwide privacy law.  The Legislative Forum advocates legislation that would protect consumers “from inappropriate collection and misuse of their personal information, and also enable legitimate businesses to use information to promote economic and social value,” it said in a statement.


Tuesday, June 20, 2006

Research Predicts Security Spending Slowdown

Even as high-profile data leaks grab headlines and compliance auditors begin making their rounds, many chief information security officers are preparing to trim their budgets.  According to a new survey of North American CISOs released by New York-based investment bankers Merrill Lynch & Co., enterprises are hoping to throttle down their spending on new IT security technologies over the second half of 2006.  On average, the IT security executives interviewed by Merrill Lynch said they only plan to increase spending by 2.9 percent over the next 12-18 months, whereas CISOs had indicated plans to increase spending by 11.4 percent when the survey was last conducted in March 2006.  Among the trends driving the reduced spending on IT security is the growing inclusion of defensive features built into technologies such as network equipment and Microsoft’s next-generation Windows Vista operating system.


Saturday, June 17, 2006

Encryption can save data in laptop lapses

Reports of data theft often conjure up images of malicious hackers breaking into remote databases to filch Social Security numbers, credit card records and other personal information.  But a lot of the time, the scenario is much simpler: A careless worker at company or agency with weak security policies falls prey to a low-tech street thug who runs off with a laptop loaded with private data.  In the biggest case, the Department of Veterans Affairs recently lost data on 26.5 million veterans and military personnel stored on a laptop and external drive stolen from the suburban Washington home of a VA employee.  Security experts and some privacy groups say simple measures could protect data if a laptop falls into nefarious hands.  They include encrypting the information so it’s nearly impossible to access without the correct credentials.


Friday, June 16, 2006

SCADA industry debates flaw disclosure

The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities.  The flaw, in a particular vendor’s implementation of the Inter-Control Center Communications Protocol (ICCP), could have allowed an attacker the ability to crash a server.  Yet, unlike corporate servers that handle groupware applications or Web sites, the vulnerable server software—from process-control application maker LiveData—monitors and controls real-time devices in electric power utilities and healthcare settings.  The best known types of devices are supervisory control and data acquisition (SCADA) devices and distributed control system (DCS) devices.  A crash becomes a more serious event in those applications, said Dale Peterson, CEO of Digital Bond, the infrastructure security firm that found the flaw.


Regulatory Compliance Planning Guide

The Regulatory Compliance Planning Guide is designed to help IT managers and Microsoft customers meet specific IT compliance obligations that directly relate to major regulations and standards.


Study: Sarbanes-Oxley forcing some companies to consider going private

Faced with the costs to comply with the Sarbanes-Oxley Act, some public companies are looking at going private, even though the costs fell slightly in 2005.  Fed up with the Sarbanes-Oxley burden, 21% of companies that responded to law firm Foley & Lardner’s latest study said they are considering going private.  Other options respondents are considering include selling the company (10%) and merging with another company (8%).  Meanwhile, costs associated with corporate governance reform dropped 16% for companies with less than $1 billion in annual revenue and 6% for companies with greater than $1 billion in annual revenue, reports Foley & Lardner in its fourth annual Sarbanes-Oxley study, released Thursday.  The savings stem from decreased productivity losses, legal fees and initial setup costs.  However, audit fees increased, as did the cost of board compensation and liability insurance for directors and officers.


Thursday, June 15, 2006

Microsoft Reminds About Ending XP SP1 Support


Wednesday, June 14, 2006

Money lost to cybercrime down—again

While many headlines spell doom and gloom when it comes to computer-related misdeeds, the average losses at businesses due to cybercrime continue to drop, according to a new survey.  For the fourth straight year, the financial losses incurred by businesses due to incidents such as computer break-ins have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI.  Robert Richardson, editorial director at the CSI, discussed the survey’s findings in a presentation at the CSI NetSec conference here Wednesday.  Respondents in the 2005 survey reported an average of $204,000 in cybercrime losses, Richardson said.  About a third of respondents said they had no losses at all due to insider threats, another 29 percent said less than one-fifth of overall losses came from insider threats.


Cerf: Wire Tapping VoIP Will Kill Innovation

Building standardized wiretap backdoors into Internet telephone systems is a bad idea that will lead to increased cyber security concerns.  “The network architectures of the Internet and the public switched telephone network (PSTN) are substantially different,” the report states.  The U.S. Court of Appeals for the District of Columbia said VoIP calls are no different than traditional telephone service when it comes to wiretap laws.  At issue is the Communications Assistance for Law Enforcement Act (CALEA), a 1994 law mandating traditional telephone companies build their technology in specific ways in order to make wiretapping easier for law enforcement officials.


Tuesday, June 13, 2006

Novell Lets Bandit Loose

Managing your identity in the Internet of 2006 is a complex Web that requires multiple identities and passwords for multiple sites and services.  This open source effort led by Novell aims to integrate disparate identity standards and projects in an effort to help create an identity system that spans the Internet.  “Formerly announced Monday, Bandit actually went live in February.  Bandit integrates a number of different initiatives and open standards to identity management.  Among them is an implementation of the open source Higgins framework which is seen as an open source affront to Microsoft’s InfoCard single sign initiative. 
Project Higgins is an effort in which Novell, IBM and other collaborate on an identity framework that enables users to integrate profile and identity information across disparate systems.  Other Bandit components include The Common Authentication Services Adapter (CASA), which enables interoperable authentication for sign-on systems, and the Role Engine service for role-based authorization.


Disaster Recovery at the Macro Level

Disaster Recovery is about three things: planning, testing, and procedures.  Banks have to satisfy compliance initiatives and answer to the FFIEC and OCC.  Satisfying compliance initiatives may get you off the hook with the regulators and make you look good on paper, but what you are really interested in is staying in business for the long haul.  Eighty-five percent of companies without a disaster recovery plan go out of business within a year after a disaster.  After the World Trade Center disaster, statistics showed that companies with complete plans were operational within 30 days.  While IT people are key partners in the disaster recovery efforts, their plates are usually full and overflowing.


WARNING:  One of the Microsoft patches released today will break web applications

An IE ActiveX patch could impact web applications.  It is very highly recommended by Paul that you perform some additional testing of your critical web apps before you roll this patch out.

Monday, June 12, 2006

Microsoft Makes Security The ‘ForeFront’

Microsoft officials introduced a new brand of security software, called ForeFront, at the company’s Tech Ed 2006 event.  Bob Muglia, senior vice president of the server and tools business at Microsoft, said ForeFront will include Forefront Client Security, and enhanced version of the company’s Microsoft Client Protection software for protecting desktops, laptops and server operating systems from viruses and other threats.


Banks should check risk controls, Bies says

Managers of U.S. banks should evaluate their policies at least once a year for controlling risk of financial losses or illegal activities, Federal Reserve Gov.  In remarks prepared for delivery to a financial group, Bies also said banks should guard against information-security breaches by controlling access to fund-transfer systems.  By law, banks must file reports about suspicious activity, to combat money laundering and other terrorist tools.  “Effective management of information security risk, even when focused on a specific function, requires an enterprise-wide approach to yield a true and complete evaluation of the associated risks,” she said in a speech before the Financial Women’s Association.


Enterprises Attacks Tripled

Aladdin Knowledge Systems has announced that the Aladdin Content Security Response Team (CSRT) released the findings of a study that uncovered a dramatic increase in the number of dangerous spyware and Trojan threats lurking the Web last year.  213 Percent Increase in Spyware—The number of malicious threats classified as spyware by the Aladdin CSRT grew from 1,083 in 2004 to 3,389 in 2005, representing a huge spike of more than 213 percent.  142 Percent Increase in Trojans—The number of malicious threats classified as Trojans by the Aladdin CSRT grew from 1,455 in 2004 to 3,521 in 2005, representing a 142 percent rise.  56 Percent Increase in Viruses / Other Threats – The number all other malicious threats grew from 6,222 in 2004 to 9,713 in 2005, representing a 56 percent increase.


Friday, June 09, 2006

VoIP Security Alert: Hackers Start Attacking For Cash

An owner of two small Miami Voice over IP telephone companies was arrested last week and charged with making more than $1 million by breaking into third-party VoIP services and routing calls through their lines.  Hacking has become a decidedly for-profit crime, with crooks intent on theft rather than disruption.  Edwin Pena had been making easy cash for almost 18 months and sold about 10 million minutes before law enforcement caught up with him yesterday morning, prosecutors say.  He paid $20,000 to Spokane, Wash., resident Robert Moore, who helped Pena scan VoIP providers for security holes with a code cracking method called brute force.  Those companies have to pay for access to the Internet’s backbone, and they found themselves with up to $300,000 in charges for access stolen through Pena’s hacks, authorities say.


Wednesday, June 07, 2006

Cleaning up Data Breach Cost 15X More Than Encryption

Protecting customer records is a magnitude less expensive than paying for cleanup after a data breach or massive records loss, a research company said Gartner analyst Avivah Litan said in a research note that data protection is cheaper than a data breach.