Cyber Security Institute

Sunday, July 30, 2006

Federal Financial Regulators Release Updated Information Security Booklet

The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions.
The Offıce of Thrift Supervision (OTS), along with the other federal banking agencies, has released the revised Information Security Booklet and an Executive Summary of the Federal Financial Institutions Examination Council’s (FFIEC) Information Technology Examination Handbook.
The FDIC Board of Directors is seeking comment on the three attached proposed rules. The first proposed rule would create a new system for risk-based assessments. The second proposed rule would set the designated reserve ratio (DRR) at 1.25 percent. The third proposed rule would govern the penalties for failure to pay assessments. The Federal Deposit Insurance Reform Act of 2005 requires the FDIC to prescribe final regulations by November 5, 2006. Comments on the first two proposed rules are due by September 22, 2006; comments on the third rule are due by September 18, 2006.


Friday, July 28, 2006

Banks face Web security deadline

For some bank IT managers, last fall’s release of federal guidelines for validating the identities of online users helped catalyze ongoing efforts to adopt so-called strong authentication measures.  But a majority of U.S. banks appear unprepared to meet the Dec. 31 deadline by which they’re supposed to comply with the guidelines, several analysts said this week.  “Most banks haven’t done much with [the guidelines] because there is still some confusion as to what needs to be done,” said George Tubin, an analyst at TowerGroup in Needham, Mass.  Preston Woods, the company’s chief information security officer, said the release of the guidelines last October by the Federal Financial Institutions Examination Council gave a push to a strong authentication initiative that Zions had already started.


Wednesday, July 26, 2006

Laptop border searches OK’d

What: A business traveler protests the warrantless search and seizure of his laptop by Homeland Security at the U.S.-Canada border.  When: 9th Circuit Court of Appeals rules on July 24.  Outcome: Three-judge panel unanimously says that border police may conduct random searches of laptops without search warrants or probable cause.  These searches can include seizing the laptop and subjecting it to extensive forensic analysis.


Friday, July 21, 2006

The Value of Branding Your Security Awareness Program

Computing Technology Industry Association (CompTIA) released results of a study earlier this year that cites human error was responsible for nearly 60 percent of information security breaches experienced by organizations over the last year.  Additionally the results of the study show that most companies don’t require security awareness training and only 36% of companies surveyed offered end user security awareness training.


Tuesday, July 18, 2006

Symantec sees an Achilles’ heel in Vista

New networking technologies in Windows Vista will be less stable and secure than in XP, at least in the short term, Symantec researchers say.  Some of Microsoft’s efforts to make Windows Vista its most stable and secure operating system ever could cause instability and new security flaws, according to a Symantec report.


Breach rules toughened for federal agencies

The White House’s Office of Management and Budget instructed U.S. federal agencies to alert the US-CERT within one hour to any breach involving personally identifiable information, even if the possibility of a breach is only suspected.  Another memo (PDF), dated 15th July, required that government agencies report any computer systems missing from their inventory and outline the results of an investigation into handling of personally identifiable information within their agency.  The latest memos clarify the obligation of federal agencies under the Federal Information Security and Management Act (FISMA) of 2002, under which agencies get graded on their security postures.


Researcher Takes Google Malware Search Public

A security researcher has posted a search tool that lets anyone sniff out malware using Google, a technique first discussed by California security vendor Websense.  HD Moore, the lead developer for the Metasploit Framework open-source exploit project, created a tool and posted code that shows how to use Google to look for specific data strings—which Moore dubbed “fingerprints”—within code already defined as malicious.


Monday, July 17, 2006

Threat Landscape For The Future


Network Access Heats Up With 802.1x Funk

Nine months after it acquired Funk Software for $122 million, Juniper Networks (Quote, Chart) is rolling out network access control (NAC) security products based on Funk’s technology.  OAC is an 802.1x supplicant, which is defined a piece of software that provides access to an 802.1x- enabled network.  Oliver Tavakoli, vice president of engineering at Juniper (and the former CTO of Funk Software), explained that 802.1x helps a network figure out at a port-by-port level who is accessing the network and what kind of access to allow.


EMC Deal Aimed at Securing Stored Data

EMC Corp.‘s recent acquisition of RSA Inc. underscores the convergence of information security and storage.  EMC, which sells large storage systems for use in corporate data centers, bought RSA—-a manufacturer of encryption software and devices—-to provide it with identity and access management technologies and encryption and key management software, which will help EMC deliver information lifecycle management.  A survey last year by CompTIA, an IT trade association, found that protecting and securing data is the number one challenge in storage management.  Security was cited as the top concern by one-third of storage management execs surveyed; management and administration of stored data was the second highest concern, followed by speed of access to stored data, and making data more accessible.


Friday, July 14, 2006

IBM Releases Security Tool to Fight Off DOS Attacks, Worms

IBM has launched new software that will allow IT departments, telecom service providers and IT outsourcing companies to respond proactively to security threats like denial of service attacks and worms as they happen. 
IBM Tivoli Security Operations Manager, announced yesterday, automates security data collection and analysis, presenting incident warnings in a real-time dashboard.


Thursday, July 13, 2006

Symantec says enterprises failing to secure instant messaging

Cupertino, Calif.-based security giant Symantec Corp. surveyed 400 CIOs on their organizations’ IM security policy, and found that 57% of them had no security or availability policies for their IM systems. The survey also found that only 22% of organizations archive their employees’ IM messages, a serious oversight that can lead to the leakage of confidential data or other sensitive information.  The results of the survey are especially surprising considering that the number of IM threats increased by more than 1,600% from 2004 to 2005, according to statistics gathered by Symantec. Last year the vendor recorded a total of 2,400 unique IM threats.


CSI survey: Data breaches still being swept under the rug

The Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad released its 2006 report Thursday after surveying 616 computer security practitioners in U.S. corporations, government agencies, financial and medical institutions and universities.  The average loss reported by respondents was $167,713, an 18% decrease over last year’s average loss of $203,606.  Virus attacks, unauthorized access to networks; lost or stolen laptops and other mobile hardware; and theft of proprietary information or intellectual property accounted for more than 74% of financial losses, according to the CSI report, which can be downloaded from the organization’s Web site.  Despite talk of increasing outsourcing, CSI said the survey results indicate very little outsourcing of information security activities, with 63% of respondents saying their organizations do not outsource any computer security functions.


Tuesday, July 11, 2006

FDIC Proposes New Risk-Based Insurance Assessment System

The FDIC’s Board of Directors today approved for public comment two proposed rules governing deposit insurance assessments under the Federal Deposit Insurance Reform Act of 2005.  One proposal would create a new system that would more closely tie what banks pay for deposit insurance to the risks they pose.  It also would adopt a new base schedule of rates that the FDIC Board could adjust up or down, depending upon the revenue needs of the insurance fund. The second proposal issued today would continue to set the designated reserve ratio (DRR) for the fund at 1.25 percent of estimated insured deposits.


What CIOs can learn from Mediaeval Castles

If we compare at the evolution of Infosecurity with history, how far have we come?  The authors believe that we’re somewhere shortly after the Norman Conquest—in other words, mediaeval.  However, that’s not a criticism: in fact, in the 13th century, they had a pretty strong grasp of security issues.  Go to any Heritage castle that dates from these times and you’ll see what he means.  Take Harlech Castle in North Wales, for example.  Harlech formed part of the Iron Ring of castles built by King Edward I in order to quell Welsh resistance and prevent future insurrection.  Its design and location are testament to the advanced security architecture of the time and their success in securing key assets and keeping intruders at bay.  Design BluePrints Back in the days of the crusade and the knight errant, the security of the castle was put above all else in the design phase.  A secure design was paramount, and a key part of the business of survival.  Whilst security remained uppermost in the mind of the castle architect, convenience and useabiltiy did also factor in the design process.


Monday, July 10, 2006

VPNs: $23B And Growing

A new report from Infonetics Research pegs the value of the VPN services market in 2005 to have been $23 billion, which represents 14 percent growth over 2004.  Jeff Wilson, principal analyst of VPNs and Security at research firm Infonetics, told that the VPN services market growth for 2006 is currently pegged at 11 percent.  In 2005, site-to-site VPNs accounted for 77 percent of the market’s revenue while remote access only accounted for 23 percent.


Friday, July 07, 2006

Security agency war game tries to teach Net defense

The National Security Agency may be known for its stealthy eavesdropping techniques, but it’s going public with advice for how to train a new generation to defend against computer threats.  Representatives from the usually secretive agency appeared at a SANS Institute event here to divulge “lessons learned” from their latest cyberdefense exercise.  The exercise, which took place over four days in April, pitted students from the five U.S. military academies and the Air Force’s postgraduate technology school against “bad guys” at NSA headquarters.  NSA representatives said they hoped the informal briefing would provide a wake-up call to all network managers, both inside and outside the government.


Criminals Increasingly Blend IT Threats

Security researchers at software maker MessageLabs contend that malware writers, hackers and other cyber-criminals are combining multiple forms of IT threats in an attempt to amplify their efforts.  In the company’s latest IT security intelligence report, MessageLabs experts said that criminals are converging their attacks across multiple communications channels, such as e-mail, instant messaging networks and Web sites, and are also pulling together information-gathering techniques, including spyware, spam and phishing schemes, as they seek new ways to menace businesses and consumers.  The company said that 64.8 percent of all worldwide e-mail traffic consisted of spam in June, representing a 6.9 percent increase over May’s totals.


Visa, MasterCard to unveil new security rules


Thursday, July 06, 2006

Most enterprises admit IT security failures

Almost 85 per cent of large US enterprises admit to having suffered an IT security incident over the past 12 months, and the number of breaches continues to rise, new research warned.  According to a Computer Associates poll of 642 US enterprise corporates, security breaches have increased by 17 per cent since 2003.  Some 54 per cent of organisations reported lost workforce productivity, 25 per cent reported public embarrassment, loss of trust/confidence and damage to reputation, and 20 per cent reported losses in revenue, customers or other tangible assets.  Of the organisations which experienced a security breach, 38 per cent said that it was internal.  Nearly 40 per cent of respondents indicated that their organisations do not take IT security risk management seriously at all levels, while 37 per cent believe their security spending is too low.  The three most important security steps are documenting security policies (88 per cent), creating security education policies for employees (83 per cent) and creating the role of chief information security officer (68 per cent).


Email gives way to new virus distribution tactics

The number of viruses transmitted by emails dropped to a record low in June, but spam is becoming an increasing problem for businesses, according to research published this week.  Separate research carried out by research firm Vanson Bourne on behalf of Business Systems Group shows that 53 per cent of UK businesses rate junk email as the most pressing email security threat—almost twice the urgency given to virus protection.  Rather than sending a virus in an email, malware writers now send spam emails with links to malicious web sites, which download viruses to users’ PCs.


McAfee, Inc. Reports Security Threats Doubled in Record Time

McAfee(R) Avert(R) Labs, which added the 100,000th threat to its database in September 2004, officially released protection this week for the 200,000th threat in its database- demonstrating a 60% decrease in the amount of time it took to double the number of threats in the database since September 2004.


Cisco to Buy Meetinghouse

Cisco Systems(R) today announced a definitive agreement to acquire the privately-held Meetinghouse Data Communications, Inc. of Portsmouth, NH.  Meetinghouse provides a client-side 802.1X supplicant security software that allows enterprise customers to restrict network access to only authorized users and/or host devices attempting to gain access to networked resources through both wired and wireless media.


VPN and Security Services Markets to Reach $37B in 2009

The VPN services market took in a whopping $23 billion in 2005 and is expected to grow another 22% to hit $29 billion in 2009.  Meanwhile, the managed security services market grew to nearly $5 billion in 2005 and is forecast to jump 68% to $8 billion in 2009.  Both markets are increasingly lucrative due to increased worldwide deployment of MPLS and the complexity of deploying VPN and security solutions, says Infonetics Research in its latest market size and forecast report, VPN and Security Services.


Researchers Break Down NAC Defenses

If you think currently available Network Access Control technology is going to put that much-needed fence around your organization’s most sensitive data, think again.  Researchers at Insightix, a security software vendor based in Ra’anana, Israel, later this month will show how they’ve broken the defenses of virtually every NAC vendor in a presentation at the Black Hat conference in Las Vegas.


Trojans On The March

Although virus rates themselves may be falling, Trojans are picking up the slack at an alarming rate, the vendors said.  Another common trend: The growth of malware is almost exclusively targeted at Windows operating system-based PC’s, prompting one security vendor to advise users to switch to Apple Macs.  Security vendor McAfee (Quote, Chart) said it now supports 200,000 threats with security updates, a jump of 100 percent within two years.  In the first six months of 2006 alone, McAfee added 32,000 new threats that it helps customers thwart.  Sophos reported that it is now protecting against 180,292 malware threats in June of 2006, up by 28 percent since June of 2005.  It’s many codes without a real danger,” Panda Software Labs spokesperson Carolina Sanabria told  Sophos is reporting that new Trojans outnumber worms and viruses by a 4-to-1 margin, compared to a 2-to-1 ratio in 2005.


Wednesday, July 05, 2006

Identity to Become the Key Technology Focus

Following their European e-Identity Conference, eema, an independent association for IT professionals, businesses and governments, has predicted that by 2020 digital identities will have a significant impact on the daily lives of the world’s population and that this is already the case in the more technologically-advanced, Internet-ready societies.  At the two-day conference in Barcelona, where delegates from 20 countries across Europe, North America and the Far East met to debate the key issues surrounding the realities of digital identity today, it was asserted that businesses and governments are waking up to the fact that their future success will depend on the effective and ethical management of a complex network of digital identity relationships with their employees, partners and customers.


Security Still Key WLAN Concern

Research firm Gartner Inc. says the growth of wireless LAN networking the enterprise is causing users to worry more about WiFi security risks than ever before.  Gartner asked 200 networking and business technology firms in North America and Europe about their enterprise WLAN technology late last year.  Gartner says that security concerns are growing as WLAN networks become a standard part of the corporate landscape rather than being limited to conference rooms and branch offices.


Tuesday, July 04, 2006

Crash test dummies

Many firms are using live customer data to test applications.  Almost half (44 per cent) quizzed in a UK survey admitted they used valid information to run systems through their paces, a practice that leaves them potentially liable under the Data Protection Act (DPA), which prohibits organisations from using data for purposes other than those for which it was collected.


Monday, July 03, 2006

Outsourcing Managed Security

Many companies are turning to outside experts for help in dealing with the risks involved in handling confidential information.  Hacking incidents, losing data in transit, transmitting and storing data in ways that violate company policy, and money laundering all form a witches’ brew of vulnerabilities that can easily lead to millions of dollars in losses in lawsuits, regulatory actions, and damaged reputations.  It’s no wonder, then, that providers of managed security services are offering to relieve the burden of protecting sensitive data.  They can eliminate the pitfalls of managing and monitoring security devices and events, and ensure a rapid response to real threats.  Obtaining security services from an outsourcer demands an understanding of what such services are, as well as the ability to subject a company’s security policies, technology, and standards to objective scrutiny by a third party.