Cyber Security Institute

Thursday, December 28, 2006

Coast Guard mandates e-mail phishing training

The Coast Guard is ordering all personnel connected to its network to take mandatory training on how to avoid fake e-mail messages that try to acquire sensitive data in a technique known as phishing and even more highly targeted attacks known as spear phishing.  Last month, the Defense Department mandated that all its personnel take spear phishing awareness training by Jan. 17.


Tuesday, December 26, 2006

FTC gets broader authority to pursue foreign spammers


Friday, December 22, 2006

Data Security, Terrorism Top Executive Worries

More corporate executives are more worried about data security and terrorism than anything else, according to a new study.  Sixty-one percent of executives report being most concerned about information systems being compromised, and another 55% worry about terrorism, according to a Harris Interactive poll that was conducted in September.  Thirty-two percent of those polled called environmental mishaps a top concern, while 21% said they’re highly worried about product recalls and 19% are highly worried about workforce violence.


Financial Institutions Face Tight Compliance Requirements in 2007

In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls.  Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.  These laws include both proactive components (having an information security policy, implementing access control technology) and reactive components (disclosure of security breaches).


Thursday, December 21, 2006

Security 2007: keeping ahead of the hackers

The IT security firm ScanSafe said that 2006 marked the ascendance of web threats such as the Windows Meta File flaw, and that this trend is expected to continue in 2007 as more and more threats shift to the web.  As more users go online to take advantage of Web 2.0 applications like social-networking sites, blogs, wikis and RSS feeds, malware authors are going to be right behind them, ScanSafe warned.  According to a survey by the ePolicy Institute, 31 per cent of employees use IM at the office, and 78 per cent of those users are downloading free IM software from the internet. 


Singapore: Cyber-security challenges set to grow in 2007

If anything, the common prognosis among security vendors is that cyber-crooks are likely to get smarter and the deluge of unsolicited e-mail will continue to be the bane of Internet users in the year to come.  ‘The greatest challenge we seem to be facing today is that there has been a major shift in cyber-attacks, and thus cyber-security. Viruses are no longer spread through mass attacks, but rather through attacks which are calculated and far more targeted, targeting individuals who can be exploited through vulnerabilities in their systems,’ said Eric Chong, country manager, consumer/SOHO segmentation of security software maker Trend Micro.  Echoing his sentiment, Bill Robbins, Symantec’s senior vice-president of Asia-Pacific and Japan, said: ‘One of the major challenges we face is an evolving threat environment.  ‘2006 was a year in which professional crime organisations blanketed the Internet seeking financial gain with criminal intent,’ added Benjamin Low, Secure Computing’s country manager for the Asean and India region.


Tuesday, December 19, 2006

Check Point to acquire NFR Security

Check Point Software Technologies announced an agreement to acquire privately held NFR Security, a maker of intrusion-detection and -prevention systems, for approximately $20 million.  Gil Shwed, founder and CEO of Israel-based Check Point, indicated the firm has plans to incorporate NFRs Sentivist IDS and IPS technologies into the Check Point line of firewall, VPN and security management products.


Friday, December 15, 2006

Targeted security attacks on the rise

MessageLabs now intercepts two attacks each day, compared to one per week at the same point in 2005.  The targeted approach is prevalent in phishing attacks too, an increasingly dominant force in all malicious emails intercepted by MessageLabs, with levels rising from 10.6 per cent in January to 68.8 per cent in December.


Thursday, December 14, 2006

Visa U.S.A. adds financial incentives, fines to PCI program

Visa U.S.A. Inc. is adopting a carrot-and-stick approach to help drive merchant compliance with the Payment Card Industry (PCI) data security standard that it—along with other credit card companies such as MasterCard International Inc. and American Express Co.—is pushing.  The company announced that it has created a new $20 million incentive program under which it will monetarily reward “acquiring” financial institutions if their members are fully compliant with PCI requirements by Aug. 31, 2007.  At the same time, acquiring banks that fail to ensure compliance by Sept. 30, 2007, will be assessed fines starting at $5,000 a month for each noncompliant merchant.


Wednesday, December 13, 2006

Gartner Prediction for 2007

By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated malware that evaded their traditional perimeter and host defenses, according to a new Gartner report.


Rustock Trojan A Model For Future Threats

Among Rustock’s distinguishing characteristics are its heavy reliance on advanced rootkit technologies to hide from security software and its changeling-like ability to morph itself each time it infects a file.  That threat, dubbed “Rustock” by Symantec, is a family of backdoor Trojan horses that first appeared nearly a year ago, says Patrick Martin, a senior product manager with the Cupertino, Calif., company’s security response team.  The tactics used by a sophisticated threat of 2006 will become staples in exploits during the year to come, a security researcher.  “The techniques that [Rustock] is using will be the baseline for threats in the future,” Martin says.  “It’s using techniques that most rootkit detectors aren’t looking at or for yet,” says Martin.  The longer a Trojan can remain undetected the longer it can stay on a PC, and the more income it can generate for its owner.


EMC Boosts Security Level of Network Analysis Software

EMC officials Dec. 13 unveiled EMC Smarts IP Availability Manager 7.0 and EMC Smarts Service Assurance Manager 7.0 software—-products the company says bring heightened levels of security and cross-domain support for managing IT and service provider environments.  Smarts IP Availability Manager automates real-time root-cause analysis of critical network connectivity layers, including network-attached storage connectivity. Its impact analysis is designed to distill thousands of simultaneous events into a few root-cause problems.


Monday, December 11, 2006

2007 To See More RFID Adoption, Continuing Need For Training

Many businesses aren’t ready to deal with the growth.  The RFID market is expected to grow at a compound annual growth rate of nearly 20% over the next six years and several factors are coming together to ease adoption of the technology.  David Sommer, VP of e-business and software solutions at CompTIA, who speaks often about the looming shortage of RFID-trained workers, said that many factors are converging to promote RFID growth, but companies must focus on training workers to make sure the technology will work for them.  Global standards, interoperability, and declining prices are working in favor of rapid adoption, said Sommer, who worked with more than 20 organizations to develop CompTIA’s professional RFID certification program.


Blurring the Line Between SOC & NOC

The line between the security operations center (SOC) and the network operations center (NOC) in some organizations is starting to blur, as the pressure intensifies on today’s businesses to prevent more sophisticated and damaging security breaches—and to do it on a budget.  Boston Medical Center, for example, recently merged its NOC and SOC operations, and is currently cross-training both groups, says Arsen Khousnoudinov, manager of network and security infrastructure for the medical center.


Friday, December 08, 2006

Information Security Trends, Issues Continue to Evolve - FINSEC 2006 Conference, New York

The arms race against phishers, strengthening firewalls, FFIEC authentication deadline issues and the constantly evolving risk management model were among the many topics covered by the FINSEC 2006 conference speakers last week in New York.  With 10 vendor sponsors at the conference, attendees were availed to information security solutions during the conference breaks ranging from CD and DVD encryption to anti-virus software and authentication solutions.  The security strategies and tools and techniques presentations covered in the two-day conference were led by eleven information security experts from national banks and financial firms.  It was standing room only within five minutes of the start, showing many of the FINSEC 2006 attendees wanted to know how the authentication guidelines will apply to their institutions.


Thursday, December 07, 2006

Ideas You Can Steal from Six Sigma

Six Sigma’s data-driven, acronym-laden focus on quality improvement might seem like a mismatch if the rest of your company isn’t on the program.  But if you listen to a few well-respected security veterans of Six Sigma talk about its benefits, you might be ready to give some Six Sigma ideas a try.  “Six Sigma is all about measuring process improvement, about taking defects out of a process,” explains Frank Taylor, CSO of General Electric.  As fiscal pressures and consequences of security grow, business leaders are going to demand that we have a way to indicate how effective our programs have been,” Taylor points out.  Once you’ve got that in place, here are a few Six Sigma tenets that stand to deliver the biggest bang for the buck in terms of improving the efficiency and effectiveness of both physical and information security.


Oracle Spurs Single Sign-On Surge

Oracle yesterday launched a new suite of single sign-on products, brushing the dust from a largely dormant technology that might see a revival under emerging Web standards.  Oracle announced the general availability of its Oracle Enterprise Single Sign-On Suite, which includes a logon manager, a password reset app, an authentication manager, and a provisioning gateway.  Single sign-on (SSO) technology has been available for more than a decade, but its adoption has been limited because of difficulties in making it work across disparate vendors and domains, all of which use different methods for managing user identities.  SSO works well in closed environments where most of the users are known and registered, but it has encountered trouble in more dynamic environments with less predictable user traffic.  About 30 percent of all helpdesk calls require a password reset, at cost of $25 to $50 per call, according to a Gartner study published earlier this year.


Tuesday, December 05, 2006

The Truth about Patching

According to an April 2006 report from the Yankee Group consultancy in Boston, Mass., the various security investments enterprises have made do, indeed, make it more difficult for “criminals, spies and miscreants” to break into corporate networks.  However, the report says the criminal element is focusing on new attack strategies, one of which is “quickly creating and launching exploits to vulnerabilities before enterprises can patch against them.  The so-called zero-day (0 day) attack, where an attack is launched against a vulnerability before a patch is created to plug that vulnerability, has long been a great fear of any security professional.  With the criminal element actively seeking out opportunities for such an exploit, it’s more important than ever for organizations to take stock of their patching strategy.


Friday, December 01, 2006

Virtual concerns

Administrators, developers, and power users are starting up new virtual workstations and servers with every new corporate breath.  Administrators and CSOs are considering all of these ideas to save money and increase security. Whether virtual solutions have the speed, flexibility, and security to become a win-all solution is yet to be seen. I remember hearing the same promises during the heyday of thin-client computing, and that technology largely failed.  Of course, for every security benefit a virtual machine provides, a new security threat or risk emerges.  The author wants to add some other scenarios to consider.


New E-Discovery Rules Take Effect

The U.S. legal system made good on its promise to get stricter in compelling companies to produce electronically stored information as evidence in civil court cases.  As of Dec. 1, companies and their IT departments must produce information earlier in the litigation process, and if they can’t, they’d better be ready to explain why.  If you have a policy governing how long your company stores information before it’s purged, be prepared to prove that policy was in effect and enforced before the court’s request for information.


Fortifying Identity Products

With mounting security concerns and compliance regulations putting pressure on corporations to protect their enterprise assets, CA has fortified its identity and access management (IAM) portfolio at the behest of customers.  Chief among CA’s IAM improvements are new security capabilities in eTrust SiteMinder 6.0 service pack 5 (SP5) release that will help CA’s enterprise customers safely exchange sensitive business applications with multiple partners.  This identity federation, which connects disparate business applications and processes across several organizations and internal business units, allows business managers to provision access rights to make users part of the same security domain.