Cyber Security Institute

Tuesday, June 26, 2007

Users: Encryption No Silver Bullet

Encrypting data as it travels across corporate networks could be a distraction from the real security challenges facing organizations, warned IT managers at a security event here today.  These sentiments were echoed by fellow panelist and Security Constructs analyst Tom Bowers, a former information security officer in the pharmaceutical industry.  “Encryption can solve a lot of problems, but it’s not the be-all and end-all,” he said, using the example of an unscrupulous employee using a digital camera to take an image of an encrypted file.


Friday, June 22, 2007

Security Fears Slow Virtualization

Concerns about security may be slowing the adoption of virtualization technology, according to a report issued yesterday by research firm emedia.  Some 51 percent of current users think that virtualization poses some new risks, but the figure rises to 57 percent among those planning to use the technology within the next six months—and to 66 percent among those planning to adopt it within the next six to 18 months.  In April, Gartner issued a report that predicts virtual servers will be less secure than physical servers through 2009.


Online Attacks Increase at Financial Institutions

The RSA’s Anti-Fraud Command Center issued its monthly online fraud intelligence report for May, and the statistics point to attacks on U.S. nationwide banks account for 33 percent of all attacks on US financial institutions—that’s more than double since April.


Thursday, June 21, 2007

Securing the ‘Company Jewels’

If your company is like most others, you probably know that intellectual property—the “other” IP—is the biggest target the crooks have on their want lists right now.  The study, sponsored by security tool vendor Reconnex, shows that many enterprises are struggling in their efforts to secure intellectual property.  “When we asked people how they were doing in securing IP, most of them said they felt their organizations were doing a good job, if not excellent,” notes Jon Oltsik, the ESG analyst who authored the study.


Wednesday, June 20, 2007

Log management push has its roots in compliance

Enterprise interest in log management is heating up as compliance requirements push organizations to get a grip on their log data.  No one compliance requirement is driving interest in log management, Henry said.  A couple years ago, SOX was the top concern since it spurred most new audit efforts but now log data is important for demonstrating an organization’s controls for a variety of regulations, he added But Dave Shackleford, vice president at the nonprofit Center for Internet Security and a SANS instructor, said the PCI Data Security Standard in particular is helping to make log management a hot topic in the enterprise.


Monday, June 18, 2007

Feds choose 10 vendors to secure mobile data

The U.S. government has awarded contracts to 10 software companies that meet its requirements for protecting sensitive information stored on laptops, handhelds and other mobile devices.  The contracts, known as blanket purchase agreements, are open to all federal, state and local government agencies, as well as other North Atlantic Treaty Organization countries.  The U.S. General Services Administration, which oversees the so-called Data at Rest Encryption Program, says the agreements could be worth $79 million or more.  GSA is urging all government agencies to deploy encryption technology for its mobile devices to avoid data breaches, such as the one that the U.S. Department of Veterans Affairs experienced last year when a laptop containing personal information about 26.5 million military veterans and spouses was stolen.  Federal officials said 30 companies bid on its data encryption program, but only 10 of them were able to meet the more than 100 information security requirements put together by a Pentagon-led evaluation team.


Friday, June 08, 2007

CIOs, Auditors To Get New Software Controls Guide on July 9

The Institute of Internal Auditors’ forthcoming guide lists tests that companies can perform to make sure their controls are correct and working properly.  It’s time for an audit of the application controls for every business system throughout your organization, from enterprise resource planning to e-mail programs, document imaging systems and product design software.  If you’ve upgraded or modified applications since the last application controls audit, you’d be smart to check out a forthcoming 33-page guide on applications controls to be released July 9 by the Institute of Internal Auditors (IIA).  The eighth in the institute’s Global Technology Audit Guide (GTAG) series, “Auditing Application Controls” will be available for free to the institute’s 130,000 members in 160 countries, as well as to nonmembers via the group’s Web site at


Thursday, June 07, 2007

IBM Makes Security Move to Acquire Watchfire

IBM announced plans to acquire Massachusetts-based software vendor Watchfire in a bid to beef up compliance testing and security for Web applications as they are being developed.  Together, the technology from Watchfire and IBM Rational software will help customers integrate Web application security and compliance throughout the development process, enabling customers to test and track the compliance of their applications with security, legal and corporate requirements, company officials said.


Symantec to test major revamp of corporate AV client

Symantec Corp. will kick off its annual Symantec Vision conference next week with the first public release of its next-generation corporate antivirus software, called Symantec Endpoint Protection 11.0.  The new software is a major advance for Symantec, which has been working for more than a year to integrate firewall, zero-day protection and network access control features into its antivirus product.  Hamlet includes code from two recent Symantec acquisitions: It will include firewall capabilities based on the Sygate Enterprise Protection software Symantec acquired in 2005.  Another new feature will be SONAR, (Symantec Online Network for Advanced Response), based on code that Symantec acquired as part of its 2005 purchase of Whole Security.



Wednesday, June 06, 2007

Microsoft Sets Unified Security Strategy with ‘Stirling’

Microsoft officials have outlined plans for a unified security product they say will allow users to centrally manage security across an entire IT infrastructure from a single console.  Code-named Stirling, the product is designed to enable IT managers to centrally set policy, configure, deploy and manage security within their IT environments.  When it is officially released—-Microsoft officials have mentioned 2009 as a general release date, with the beta version to be available later in 2007—-it will include the next-generation versions of the Forefront Client Security, Server Security, and Edge Security and Access solutions, plus a unified management console.


Security’s Soft Underbelly

Databases are among the most widely deployed, complex, and fastest growing technologies in corporate infrastructures.  Stocked with vast amounts of business-critical, sensitive records, theyre now the focal point in highly-damaging data breaches.  Yet, as businesses rush to provide real-time information flow inside and outside their organizations, database security remains one of the least understood and most under-funded aspects of corporate security—and IT is yelling for help.


House passes restrictive anti-spyware bill

The U.S. House of Representatives passed on Wednesday a second bill aimed at restricting the actions of spyware purveyors and online data thieves, but many government and industry executives have argued that more regulations are not necessary.  The act is the second piece of anti-spyware legislation to pass the House in the last month—in late May, legislators gave the go-ahead to the Internet Spyware Prevention (I-SPY) Act.


Friday, June 01, 2007

Plug the holes in your cone of silence

DATA loss is a significant factor in modern business, dependent as it is now on electronic systems.  And it occurs in many ways, some inadvertent, some through stupidity and some criminal.  One organisation accidentally puts its sensitive market research report online before it has been approved; another can’t find data that has been requested by a government department.  Others lose laptops, unwittingly send confidential information in emails, or give contractors too much access to internal data.  This is lost data and its impact on a business can range from financial loss, to damage to its reputation, potential loss of customers, or even imprisonment if there is a breach of corporate governance.  So, how good are your data management policies and procedures?  More than two-thirds of Australian organisations experience six losses of sensitive data every year, according to new research by the US-based IT Policy Compliance Group.  One in five organisations loses sensitive data 22 or more times a year.


Forget security and privacy: Focus on trust

Security and privacy are bad words with bad histories, evoking bad connotations with most enterprise stakeholders.  For companies to succeed at safeguarding their data, these words must go away.  Information security and privacy protections as we know them today are a response to the ills that have befallen enterprises over time.  Enterprises experience a problem or incident and don’t want it to happen again, so they find the most practical way to eliminate it or mitigate against it.  As a result, security and privacy practices tend to be restrictive.  Every organization uniquely figures out where best to place them-so long as the chief executive doesn’t have to be too bothered.  As a consequence, neither security nor privacy has been associated with the positives of most institutions or with their strategically important initiatives.  They are clearly not viewed as activities that will help enterprises gain market position, enhance their reputations or provide competitive advantage.