Cyber Security Institute

Thursday, February 22, 2007

Japanese police confirms cybercrime growth trend

Japan’s National Police Agency (NPA) released its annual cybercrime statistics for 2006, showing a massive 40% increase in the number of registered cases.  In total there were 4,425 cybercrime incidents logged and solved by police, up from 3,161 in 2005.  Although these figures are significant, growth levels have actually gone down from last year, when the number of cybercrime incidents was boosted by more than half.


Cisco’s Web Security Play

Cisco’s acquisition of XML vendor Reactivity today could set the stage for a new approach in handling the Web services security problem, experts say.  On the surface, the deal looks like a simple play for the networking giant to incorporate Web services capabilities into its hardware lines, but security experts inside and outside Cisco say there may be more to it than that.


Wednesday, February 21, 2007

Australia: Spam Volumes Grow

Marshal’s Threat Research and Content Engineering (TRACE) Team announced total spam volume is at its highest peak ever and has increased 280 per cent since October last year.


DoS attacks to be made illegal in Sweden

Denial of service attacks will become illegal in Sweden from 1st June this year.


Avoid Wasting Money on Penetration Testing

Penetration Testing is the final word in proving that technical compliance and good security practices are in place - or so it should be.  What is the impact on quality if the consultant is overworked?  The trouble with asking questions like these is that there’s no tick box to check when choosing your supplier.  Is it good quality for the consultant to do a quick portscan, and not cover all 65k ports for example?  Doing a full port scan takes time, and usually turns up nothing, a quick portscan wouldn’t find.  Is it good quality, to identify ‘autocomplete’ on an application as low risk, because that’s the standard classification, without taking in to account the context of the application and the business - e.g. a banking application?


VMs Create Potential Risks

Those tens of thousands of virtual servers spawned from your thousands of physical ones offer no guarantee your security policies will carry over, and can leave you with a security time bomb ticking away in your data center, according to vendors and some experts.  “Virtualization is both an opportunity and a threat,” says Patrick Lin, senior director of product management for VMWare.


UK Bank Fined $1.9 Million for Losing Laptop

A major financial institution in the United Kingdom was slapped with a nearly $2 million fine for failing to adequately protect customer information.  The Financial Services Authority fined the Nationwide Building Society £980,000 for failing to have effective systems and controls to manage its information security risks.  The fine is directly connected to last year’s theft of a Nationwide laptop from an employee’s home.  During its investigation, the FSA found that the building society didn’t have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime, according to a release on its Web site.


Tuesday, February 20, 2007

Security Outsourcing Heats Up

Has security’s outsourcing day finally come? Some pretty big names in the industry think so—and they’re backing up those claims with money, people, and research.  The Computing Technology Industry Association (CompTIA)—one of the world’s largest associations of computing product manufacturers and service providers—has released the findings of a new study, conducted by Harris Interactive, which suggests security has become one of the key drivers in the managed services market. According to the study, firewall (60 percent) and security (40 percent) services are the two top managed services currently employed by user organizations, and security services (33 percent) are tied with storage and backup services (33 percent) as the top managed services scheduled to be added or upgraded in the coming year.


CheckFree to Purchase Corillian in Bid to Expand Offerings to Banks

CheckFree to Purchase Corillian in Bid to Expand Offerings to Banks CheckFree/Corillian deal is just one more example of consolidation in bank tech space, say experts.  Atlanta-based e-commerce services provider CheckFree last week announced plans to acquire online banking solutions company Corillian (Portland, Ore.) in a deal worth about $245 million dollars.  The acquisition will bring together Corillian’s online banking platform and complementary suite of financial applications, and CheckFree’s electronic billing and payment, and online transaction services.  According to Steve Olsen, CheckFree’s COO, the union will help the company reach further into the online channel as it attempts to expand its client relationships and help those banks it serves do the same.


Saturday, February 17, 2007

Mobile phone hackers on the rise - study

Dubai: Operators are reporting more incidents of phone hacking, known as malware attacks, than ever before, according to a new study by Informa Telecoms & Media (ITM).  The research found that nearly half of the operators who have experienced malware outbreaks have had one within the last three months.  Twice as many mobile operators spent over $200,000 on mobile security in 2006, compared to 2005.


Friday, February 16, 2007

Modulo Intros Risk Manager

Modulo Security, the Brazil the Latin American market leader in Risk Management, introduces to the United States market the Risk Manager, a powerful system that has been used in more than 4,000 projects and provides structured risk assessment for technological assets (such as software and equipment) and non-technological assets (such as people, process and environments).


Tool Uncovers Inadvertent ‘Chatter’

Researchers from Errata Security plan to release a free tool at the Black Hat D.C. briefings later this month that gives enterprises a firsthand look at what data is bleeding out of their client machines every day, especially in wireless networks.


Global Data Leakage Survey 2006

The InfoWatch analytical center has published its results for 2006 presenting the first global survey of internal information security (IS) breaches.  The database contains nearly 500 entries, 145 of which were added during 2006.  The results of the survey naturally supplement the conclusions of the wide scale survey Internal IT Threats in Europe 2006 in which InfoWatch questioned more than 400 European organizations.  However, unlike the latter project, Global Leakage Survey 2006 identifies tendencies in the development of internal threats of IS and how they happen.

Key conclusions For the most part, it is businesses that suffer from leaks of confidential information.  According to the survey, 66% of internal breaches occurred in private companies.  Moreover, businesses carry the main burden of loss caused by such leaks since a company’s competitiveness depends on its reputation, and reputation is the first thing to suffer in the event of an information leak.  In 2006, a vast number of people suffered from information leaks.  Just 150 breaches exposed 80 million people to identity theft.  Many of them are now at risk of becoming victims of swindlers, losing all their savings, or having their credit history ruined forever.  Every leak of personal information causes million-dollar losses.


Ensuring a Successful Partnership with Your MSSP

Securing information assets has become a highly complex function demanding significant investment in process definition, security expertise, systems, and infrastructure.  Compounding these challenges, it requires internal alignment between the various business units, IT organization and security teams to ensure the tensions between availability and security are well balanced.  An internal approach requires a staff with security expertise, in addition to systems, toolsets, and processes to maintain an organization’s security posture around the clock.  Organizations that have time and money to implement an internal solution benefit from their ability to fully customize the solution, to integrate internal systems including their ticketing environment and/or patch management systems, and to retain internal security knowledge.  If an organization is willing to share its network visibility with a trusted MSSP partner, it can benefit from shorter implementation time, skilled personnel, predictable cost, and a constant security posture through the partner’s ability to identify security events in a proactive manner, and provide an organization with refined information to take action on.  An MSSP can help remove the burden of managing and monitoring security devices and offer the earliest possible warning of new threats emerging on the Internet and corporate networks.


Thursday, February 15, 2007

3G Card Secures Laptops

Lost your laptop full of company secrets?  No problem: A prototype PCMCIA card developed by Bell Labs for laptops can lock that data down as soon as you’ve reported it lost or stolen, and throw away the keys.  It can also let IT locate a lost or stolen laptop via a built-in GPS on the card.


Breach Insurance

When it comes to natural disasters, such as floods or tornadoes, most companies wouldn’t even consider going a day without insurance.  “It’s still a new idea for most companies,” says Julie Davis, executive vice president and managing director at Wired for Growth, a unit of Aon, a major risk assessment and insurance brokerage.  Once called cyberinsurance and still sometimes known as cyber liability insurance, these terms all describe ways that a company can protect itself against the eventuality of a business-crippling hack, data loss, or privacy violation.


Tuesday, February 06, 2007

Most IT Managers Expect Major Security Hit Every Year

A new survey shows that 60% of IT managers expect at least one major incident every year that could halt or disrupt a critical part of their businesses, according to a survey released by Symantec.  The results also showed that 66% of IT managers expect they’ll be hit by some type of security or compliance incident in the next one to five years, according to Symantec. In addition, 58% say they anticipate suffering a major data loss, caused by a data center outage, corruption of data, or a security breach, at least once every five years


CA’s New Host-Based Intrusion Prevention Provides Centralized Protection Against Online Threats

At RSA Conference 2007 in San Francisco, CA announced CA Host-Based Intrusion Prevention System (CA HIPS), a new solution that combines advanced firewall, intrusion detection and intrusion prevention capabilities to defend enterprise computing assets against today’s blended threats.  By providing centrally managed proactive threat protection for PCs and servers, CA HIPS enables IT organizations to quickly and efficiently implement best-practices security policies for system endpoints across the enterprise.  CA HIPS provides proactive, host-based security to counter zero-day attacks by detecting anomalies in system behavior.  Administrators can define rules for automatically responding to these anomalies—such as blocking suspicious application activity with the rest of the network until a potential threat can be evaluated fully.


OpenID Joins Microsoft’s New Security Features

Five years after helping to launch Microsoft’s Trustworthy Computing initiative, Bill Gates put some grace notes on how far and wide the extensive effort helped improve the company’s product lines.  “It was just last week that we released Vista and that’s a big milestone for us in terms of security because we had a chance to apply our development process, our secure design lifecycle process to that product,” he said during the RSA Security Conference here.  Gates, who is transitioning out of day-to-day management of the company by 2008, called security the fundamental challenge that will determine whether the industry can successfully create a new generation of connected experiences.  “The answer for the industry lies in our ability to design systems and processes that give people and organizations a high degree of confidence that the technology they use will protect their identity, their privacy and their information,” he said.  In an update that reflected a thaw in Microsoft’s approach to some open source projects, Gates said the company’s Windows CardSpace identity management metasystem will work with OpenID 2.0, an open source user-driven digital identity framework.


Friday, February 02, 2007

EMC Kicks Off With Security

EMC will use the RSA Security Conference in San Francisco next week to unveil technologies from its $2.1 billion security acquisition built into its storage systems.  Next week’s announcements will be the first of several enhancements EMC is expected to make this month to its high-end Symmetrix and midrange Clariion storage platforms and affiliated software.  EMC has not confirmed any of the products, but industry sources and EMC marketing materials acquired by Byte and Switch spell out the moves.


Microsoft launches new SSL VPN solution

Microsoft has announced the availability of Intelligent Application Gateway 2007, the company’s new security access solution that combines virtual private networking technology acquired from Whale Communication and Web application firewall.


Thursday, February 01, 2007

Dorf storms the malware charts

The latest malware monitoring data from Sophos said that Dorf has rampaged to the top of the monthly malware threat chart to account for almost 50 per cent of all malware seen during January.  Dorf was aggressively spammed out posing as breaking news of deaths caused by stormy European weather during January.


Study: ID fraud in decline

Despite high-profile data breaches, identity fraud may be on the decline, according to a study released on Thursday.  The firm found that the percentage of the U.S. adult population that experience fraud dropped to 3.7 percent in 2006 from 4.0 percent in 2005.  The Javelin study found that the victim’s income played a major role in the fraud rate.  While Americans with incomes of more than $150,000 had a high rate of fraud, with 7.3 percent reporting incidents, they only took half as long to resolve fraud as victims whose income was less than $15,000.


Biometric Data Specification for Personal Identity Verification - NIST SP 800-76-1

The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems.  The Personal Identity Verification (PIV) standard for Federal Employees and Contractors, Federal Information Processing Standard (FIPS 201), was developed to establish standards for identity credentials.  It describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card1 itself.  It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards.


2007 Bank Technology Forecast: Challenges and Opportunities

The rapid progression of fraud schemes, regulatory initiatives, margin and cost pressures, customers’ demands, and the overall pace of change in technology inundated business and technology management in the global banking industry over the year.  The good news (for some) is that these challenges are setting up a clear playing field upon which the winners will be separated from the losers more so than at any time in the past decade.  Some of the more critical and far-reaching priorities bank technology and business leaders will need to address in 2007 are outlined below. 
Fraud-Detection and Security Technologies
Analytics for Marketing, Risk & Business Performance
Service-Oriented Architecture