Cyber Security Institute

Thursday, November 30, 2006

New Threats Loom for 2007

McAfee Avert Labs, the research arm of the popular antivirus vendor, yesterday unveiled its predictions for 2007, based on its analysis of more than 217,000 threats collected to date.  “The increasing use of video formats on social networking sites such as MySpace, YouTube, and VideoCodeZone will attract malware writers seeking to easily permeate a wide network,” says David Marcus, security research and communications manager at McAfee Avert Labs.  Similarly, the emergence of smarter, better-connected mobile devices and services will make wireless systems a juicy target in 2007. PC-to-phone and phone-to-PC infections, which first emerged in 2006, will increase in 2007, McAfee Avert Labs predicts.


Wednesday, November 29, 2006

Security ID Governance on Oracle’s Standard Plate

Oracle said it is pushing a new security framework to help companies better protect sensitive employee, customer and partner information exchanged through applications.  Ping Identity, Securent, CA , Novell and Sun Microsystems are joining Identity Governance Framework (IGF), an effort Oracle is spearheading to fill a void in security standards.  IGF addresses what happens once data gets into corporate applications, making it a complementary spec to basic identity management standards, such as Liberty’s Identity and Web Services Federation (ID-WSF) and OASIS’s Security Assurance Markup Language (SAML) (define).  IGF is crucial for meeting compliance rules and elementary security requirements, according to Amit Jasuja, vice president of development for security and identity management at Oracle.


Tuesday, November 28, 2006

Measuring Security

With cyber attacks continuing to make headlines, companies have responded by rapidly increasing IT security spending even as overall IT budgets have remained flat or declined. Gartner predicts that security software spending will have a compound annual growth rate of 16.2% from 2005-2009 with information security spending representing approximately 6% of overall IT budgets.


Monday, November 27, 2006

BT to make DDoS mitigation affordable

ISPs could provide the answer to combatting DDoS attacks according to BT, providing customers with DDoS mitigation at a price far cheaper than buying it in directly.  According to Mick Creane, Head of Managed Security Strategy at BT, ISPs are in a unique position to be able to make DDoS mitigation affordable for its customers, and it’s something BT is already considering.  ‘We’re looking at technology in the core of our network that would direct traffic through a “scrubbing centre”.  He said DDoS mitigation would be sold as an add-on to its business packages, and the effectiveness of it would be written into a service level agreement.


Federal Rules May Not Fully Secure Online Banking Sites

Financial institutions that truly want to bolster their online security need to look beyond the federal guidelines on end-user authentication that go into effect Jan. 1, IT managers and analysts said last week.  The guidelines, issued last year by the Federal Financial Institutions Examination Council (FFIEC), call on banks and credit unions to adopt so-called strong authentication measures for protecting online customers against identity theft and other types of fraud.  Strong authentication certainly isnt a silver bullet, said Melissa Auchter, CIO at Parda Federal Credit Union in Rochester, Mich. It just protects one doorway. Its one more measure in a comprehensive approach to protecting the assets of our members.


Gartner: $2 Billion in E-Commerce Sales Lost Because of Security Fears

In 2006 alone, retailers lost almost $2 billion because of consumer security fears, with about one-half of those losses ($913 million) coming from people who avoided sites that seemed to be less secure and the rest (about $1 billion) came from consumers who were too afraid to conduct e-commerce business at all, according to a Gartner survey of 5,000 U.S. adults in August that the research firm published on Nov. 27.


Monday, November 20, 2006

Small companies ignorant of security?

Small businesses must become more aware that they are the potential victims of cybercrime, former White House security adviser Howard Schmidt has urged.  Speaking at an IT security event at London’s House of Lords on Monday, Schmidt said all businesses are at risk through a lack of proper configuration of security equipment, or through not taking proper security precautions.  “SMEs (small and midsized enterprises) are not aware of being a potential victim—spending 40 pounds per year on antivirus is not a high priority,” he said at the event, organized by managed services specialist Claranet.


Thursday, November 16, 2006

7.3 Per cent of IT Budget Spent on Security

US enterprises will have spent USD 61 billion on security by the end of this year, representing 7.3 per cent of total IT spending in the US, a new report from Info-Tech Research Group states.  “While many companies will have tactical reasons to exceed or under-spend compared to the average 7.3 per cent of IT budget, those that are spending in the five to ten per cent range can be assured that their budgeting is consistent with industry norms,” said Daugavietis.


Companies are not spending their security dollars wisely

Today’s enterprises are not spending their security dollars wisely, often shelling out vast sums to protect their least-sensitive digital information while ignoring common risks like insider threats and paper theft—a situation that security experts insist is likely to get worse over the next four years.  Recent research conducted by analyst firm Forrester Research Inc. in Cambridge, Mass., indicates that organizations are spending millions on security, but not in the areas where the risk is greatest.


Study: MS SQL Server Is Safest DB

That big spike in Web application vulnerabilities is bad news for your database.  And apparently, some databases are more of a target than others.  Eric Ogren, security analyst for Enterprise Strategy Group, has compiled Common Vulnerabilities and Exposures (CVE) data from Oracle, Microsoft’s SQL Server, and the open source MySQL database, and found some major differences.  “Microsoft finds the problems before it gets to the point of using a scanning tool,” he says, whereas Oracle relies on scanning for problems after development is complete, he says.  Over 70 percent of the vulnerabilities Symantec saw this year were Web application bugs, which are often the entry point to the database, says Oliver Friedrichs, director of Symantec Security Response.


Tuesday, November 14, 2006

More Security Wares Lined up For Vista

ESET Software today released NOD32 2.7 of its antivirus software, expanding its capabilities in malware (define) and adding support for Windows Vista.  Despite Microsoft’s touting of Vista’s security, ESET said it’s only a matter of time before malware shows its ugly face on Vista.  “Out of the box, Vista’s going to be more secure than Windows XP or anything else Microsoft has released,” said Randy Abrams, director of technical education at ESET.  “But like any OS out of the box, users can do a tremendous amount of damage if they want to.”


Saturday, November 11, 2006

Microsoft Publishes Windows Vista Security Guide

Microsoft published its Windows Vista Security Guide this week, aiming to help corporations lock down the security on desktops and laptops that run the operating system.  Microsoft’s security guide will provide two major configurations for enterprise customers: A standard set of security settings for clients and a Specialized Security-Limited Functionality (SSLF) feature set.


Friday, November 10, 2006

NIST publishes: Information Security Handbook: A Guide for Managers

This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.  Purpose and Applicability The purpose of this publication is to inform members of the information security management team (agency heads; chief information officers [CIOs]; senior agency information security officers [SAISOs], also commonly referred to as Chief Information Security Officers [CISOs]; and security managers) about various aspects of information security that they will be expected to implement and oversee in their respective organizations.


U.K. outlaws denial-of-service attacks

A U.K. law has been passed that makes it an offense to launch denial-of-service attacks, which experts had previously called “a legal gray area.”


Russia Moves for Tougher IP Protections

The United States and Russia expect to sign a bilateral trade agreement next week that includes setting benchmarks and enacting new laws for the protection of intellectual property.  Russia, along with China, topped the Congressional International Anti-Piracy Caucus’ 2006 International Piracy Watch List.


Thursday, November 09, 2006

Phishing is becoming a higher value illegal activity for hackers

The size of their average catch increased almost five-fold, from $257 per victim last year to $1,244 in 2006


Wednesday, November 08, 2006

Microsoft trains partners to improve security

Microsoft called up more than 50 technical experts from the its OEM partners this week for a two-and-a-half-day refresher course in the software giant’s Security Development Lifecycle (SDL), the company’s initiative aimed at drastically reducing the number of vulnerabilities shipped in its products.  The presentations will cover threat modeling, secure coding and the hacker viewpoint, Michael Howard, security program manager for Microsoft, said on his blog.


81% of IT Managers report a security incident due to IM or other Greynets

FaceTime Communications and market research firm NewDiligence, today reported results of their annual survey: Employee Use of Greynets: 2nd Annual Survey of Trends, Attitudes and Impact.  The study confirms that employees are continuing to download and use unsanctioned applications to gain new business productivity advantages, while IT managers confirmed greynets continue to be dangerous if left unmanaged and can introduce significant risks to the business.  The most common attacks continue to be from spyware and adware (75 percent), viruses and worms (57 percent), other malware (22 percent) and rootkits and keyloggers (22 percent).


Managed Services on the Rise

The value of managed services is clear: They offload a lot of burden from a company, saving it time and money and reducing learning curves to a nearly flat line in some cases.  In a study commissioned by Cisco Systems, research firm Ovum said that it expects the global managed services market to reach $41.5 billion per year by 2009.  The study results include predictions that by 2009, managed VPNs will account for 53 percent of the managed services market and that managed VoIP will account for the fastest growth with a 65 percent compound annual growth rate.  “Because they can offer around-the-clock monitoring of network performance, improved application performance, and predictable service levels, managed service providers are in a unique position to expand their business in an effort to address the growth of this market,” said Insight President Robert Rosenberg.


Defending the data will be a focus for 2007

Regulatory requirements and increasing consumer concerns about information security breaches are making data-level security controls a top priority for 2007, according to IT managers at the Computer Security Institute trade show held here this week.  After years of implementing technologies such as firewalls and intrusion-detection systems to keep network perimeters safe, companies now must move similar controls down to the data level, they said.  Nonpublic information of all sorts needs to be protected, whether it is at rest or in transit, and that requires an increasing focus on measures such as data classification and encryption, stronger user access and authentication and usage monitoring and auditing, John Ceraolo, director of information security at JM Family Enterprises Inc, said.


Tuesday, November 07, 2006

Security must focus on desktop policy

The challenge of controlling security threats triggered by users in the workplace shows no sign of abating, new research commissioned by Check Point Software Technologies suggests.  The study carried out by YouGov, which sampled over 1,000 UK corporate employees, reveals that 60% of users accessed personal web and email applications such as MySpace, Hotmail and Gmail from their work computers at least once a week, with 28% using an instant messenger (IM) application.


19 Ways to Build Physical Security into a Data Center

At information-intensive companies, data centers don’t just hold the crown jewels; they are the crown jewels.  Protecting them is a job for whiz-bang technologists, of course.  But just as important, it’s a job for those with expertise in physical security and business continuity.  That’s because all the encryption and live backups in the world are a waste of money if someone can walk right into the data center with a pocket knife, a camera phone and bad intentions.  There are plenty of complicated documents that can guide companies through the process of designing a secure data center—-from the gold-standard specs used by the federal government to build sensitive facilities like embassies, to infrastructure standards published by industry groups like the Telecommunications Industry Association, to safety requirements from the likes of the National Fire Protection Association.  But what should be the CSO’s high-level goals for making sure that security for the new data center is built into the designs, instead of being an expensive or ineffectual afterthought?


Monday, November 06, 2006

Symantec to Acquire Company-i

Symantec Corp. announced it has signed a definitive agreement to acquire Company-i, a UK-based professional services firm that specializes in addressing key challenges associated with operating and managing a data center in the financial services industry.  The acquisition furthers Symantec Global Services’ capability to help clients manage IT risk and cost, particularly in the data center.


Friday, November 03, 2006

Security threat changing, says Symantec CEO

The threat posed to computer users and companies by hackers is shifting from attacks on the computers to attacks on electronic transactions, according to the head of one of the world’s largest security software vendors.  John Thompson, chairman and CEO of Symantec Corp., said the change has been taking place over the past few years but has recently been accelerating.  “While a few years ago many people were much more focused on attacking the machine and attacking the broad-based activities that were going on online, now all of a sudden we’ve noticed a significant shift in both the type of attack and the motivation of the attack,” he said.


Review of The 6th Annual InfoSecurity New York Conference and Exhibition

The 6th Annual InfoSecurity New York Conference and Exhibition was a major draw for financial institutions seeking the best and the latest products and services available in the information security industry.  This conference offered cutting-edge solutions for financial institutions looking to secure their IT infrastructure and maintain the overall integrity of their information security programs.  Due to the evolving nature of cyber threats, effective security measures are not resolved with a single quick-fix; rather, it is an ongoing process that requires continual awareness of the newest threats and their countermeasures.  For the average bank employee, such issues are easily written off as the responsibility of more technical personnel—perhaps, the sole problem of the head of the IT department—often acting as the CISO and/or other roles.  However, as one comes to realize from attending this conference, there are a plethora of vendors and solutions which can have an impact on numerous people within an organization, and therefore, the security solutions by which a company may ascribe to.


Security Management in Flux

With heavy hitters like Cisco, Microsoft, and Oracle joining the security market through strategic acquisitions—and some new development—enterprises should get some price breaks on security tools, says Blum, senior vice president and research director with Burton.  “The security market is drifting toward lower prices and large, integrated suites,” Blum says, with antivirus and anti-spyware companies converging their products, as well as network security vendors like Cisco and Juniper doing the same on their end, adding features such as network access control to their network devices.


Thursday, November 02, 2006

MasterCard tackles PIN-based debit card fraud

MasterCard Worldwide will introduce in the first quarter of 2007 a new service to help banks and other card issuers detect and stop PIN-based debit card fraud in real time.  “From our perspective, a PIN transaction is probably the most secure transaction” a cardholder can make, said Jerry Sargent, MasterCard’s vice president of debit strategy and alliance development.  The new service will add to that security while at the same time alleviating growing consumer concerns about online fraud, he said.


Wednesday, November 01, 2006

Symantec Intros Anti-virus Software for Windows Mobile

Security software market leader Symantec rolled out its latest package of anti-virus applications for Windows-based mobile devices.  Dubbed Mobile AntiVirus 4.0 for Windows Mobile, the product promises to help protect data stored on smart phones running the Microsoft operating system, including offering the ability to wipe out data present on lost or stolen devices.