Cyber Security Institute

Monday, July 30, 2007

Survey: Zero-Day Bugs Biggest Concern

Zero-day vulnerabilities are the top security concern for the majority (54 percent) of IT professionals, according to the results of an annual customer survey conducted by PatchLink Corporation, a global leader in security and vulnerability management.  Seventy (70 percent) of IT managers completed fire-drill remediations within eight hours in 2007 compared to just 39 percent during the previous year.  In addition, many respondents (60 percent) supplemented their vulnerability management process to include both agent- and network-based vulnerability scanning.  As a result, a vast majority (99 percent) of respondents say their organizations are as secure or more secure today than they were in 2006.


Black Hat: How to Hack IPS Signatures

Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero-day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack.  Errata CEO Robert Graham and CTO David Maynor will demonstrate this using TippingPoint’s signatures, but Graham says it’s possible to reverse-engineer any IPS vendor’s zero-day signatures.  The researchers will show how these signatures basically give an attacker the ammunition to do damage using bugs that wouldn’t have otherwise been known about yet.


Saturday, July 28, 2007

SOA Security: One Treacherous Journey

Are you ready to deal with the risks of opening your service-oriented architecture to business partners?  Web services have always been sold as a way to share data among organizations: An enterprise can selectively open internal systems to customers, partners, and suppliers, automating transactions that once required human intervention.  While most businesses have so far steered clear, keeping Web services tucked safely behind the firewall, the growth of service-oriented architecture and the emergence of Web 2.0 look set to change that.  Will the rewards be worth the risks of exposing internal services to the Web?  It’s not helping that interoperability woes are exacerbated by the immaturity of SOA security standards.


Friday, July 27, 2007

Institutions Face Bewildering Web of Breach Notification Statutes: GAO Report

The latest disclosure of a data breach involving financial information points up the need for a comprehensive response program, including complying with federal and state notification laws.  As the number of reported breaches and the ensuing media coverage has escalated, state legislative and federal regulatory bodies have enacted a variety of requirements mandating responses to such events, including customer notification.


UK phone records to be kept for a year

UK telecoms companies will have to keep phone call logs for a year under a new law, which comes into force in October.  The law does not apply to records of internet activity, such as web surfing, email, and Voice over Internet Protocol (VoIP) phone calls.


Virtualization’s New Benchmark

The nonprofit Center for Internet Security (CIS) is about to release a security benchmark that gives you the lowdown on how to lock down your virtualized systems.  Virtualization may be convenient, efficient, and eco-friendly, but it’s also a big fat security risk if you don’t configure it properly. 


Study: Internet censorship spreading

State restrictions on use of the Internet have spread to more than 20 countries that use catch-all and contradictory rules to help keep people offline and stifle feared political opposition, a new report says.  In “Governing the Internet”, the Organization for Security and Cooperation in Europe (OSCE) presented case studies of Web censorship in Kazakhstan and Georgia and referred to similar findings in nations from China to Iran, Sudan and Belarus.  “Recent moves against free speech on the Internet in a number of countries have provided a bitter reminder of the ease with which some regimes, democracies and dictatorships alike, seek to suppress speech that they disapprove of, dislike, or simply fear,” the report by the 56-nation OSCE said.


Disaster Planning Is Critical, but Pick a Reasonable Disaster

If an avian flu pandemic broke out tomorrow, would your company be ready for it?  Computerworld published a series of articles on that question last year, prompted by a presentation analyst firm Gartner gave at a conference last November.  Among Gartner’s recommendations: “Store 42 gallons of water per data center employee—enough for a six-week quarantine—and don’t forget about food, medical care, cooking facilities, sanitation and electricity.”  And Gartner’s conclusion, over half a year later: Pretty much no organizations are ready.  It’s not that organizations don’t spend enough effort on disaster planning, although that’s true; it’s that this really isn’t the sort of disaster worth planning for. 


Thursday, July 26, 2007

Cybercrime Costs US Economy at Least $117B Each Year

As staggering as the losses pegged to cybercrime are, they may even be worse than estimated, according to David A. Powner, GAO director of IT management issues and the lead author of a recent report.  Cybercrime in its various forms—computer crime, identity theft and phishing—costs the U.S. economy some US$117.5 billion a year, reported the Government Accountability Office (GAO).


Wednesday, July 25, 2007

Are security pros worrying about the right stuff?

Are security pros worrying about the right stuff?  This is the first in a series of stories that will be addressed at The Security Standard event scheduled for Sept. 10-11 in Chicago.  “As a rule, men worry more about what they can’t see than what they can.”  “Security decisions are almost never made for security reasons.”  Worrying almost seems to define the job of the CSO (chief security officer) and CISO (chief information security officer).  The security chief is the corporate standard bearer for risk management in a world fraught with technical and human error, with hackers potentially lurking within and without.  When asked what they worry about, CSOs and CISOs cite regulatory compliance and security controls overlooked in IT projects.  Some acknowledge a general angst that simply boils down to the great unknown of system-wide chaos.  But are security pros worrying about the right things?


Tuesday, July 24, 2007

Piecing together IBM’s security puzzle

IBM owns some of the world’s leading IT security talent, products, and services, but executives with the massive company say it will likely never aim to become what people might label as a true “security vendor.”  The technology giant has added high-profile security assets in the last year alone, acquiring such companies as applications testing specialist Watchfire in June 2007 and managed services and hardware giant ISS in Aug. 2006.  However, unlike rivals like Microsoft—which has moved to stake a claim in the anti-virus, messaging, and collaboration security segments with its own products—executives say that Big Blue is more interested in blending security further into its existing products and services than it is hopeful of becoming a more mainstream security provider.


Saturday, July 21, 2007

Symantec Bats Botnets with New Tool

Symantec officials say their new Norton AntiBot utility offers users an extra level of protection against bots in order to complement anti-virus products. 


Friday, July 20, 2007

Compliance ‘Laggards’ Face Most Financial Risk from Data Loss, Report Shows

The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided.  The report, “Why Compliance Pays—Reputations and Revenues at Risk,” finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year.


DoJ Sends ID Theft Bill to Congress

The Bush administration sent proposed legislation to Congress today that aims to update and improve federal identity theft laws.  The Identity Theft Enforcement and Restitution Act of 2007 would allow ID theft victims to recover the value of the time lost attempting to repair damage caused by identity theft.


UK needs cyber-crime reporting body

The UK needs a reporting body to deal with e-crime occurrences, according to a group of senior IT chiefs.  Companies which have fallen foul of e-crime attacks must report any incidents to the local police, who may not always understand what - for example - a DDoS or phishing attack is.  David Roberts, chief executive of Tif, the Corporate IT Forum, told there is a need for an organisation that businesses can talk to: “At the moment, there isn’t anywhere a large or small corporate can go to find somebody who can understand the [e-crime] issue and has the authority to do something about it.”  Roberts said there is not even a body that can bring together organisations that are under threat or experiencing regular threats and coordinate efforts to identify and resolve e-crime incidents.


Wednesday, July 18, 2007

Symantec Renovates Its ThreatCon System

Symantec Corp.  announced the launch of its newly renovated ThreatCon global security alerting system.  A free service, ThreatCon provides users with faster, more actionable information for protecting against a wider range of vulnerabilities, threats and attacks.


Tuesday, July 17, 2007

Symantec Unveils Anti-Botware

It may be the start of a whole new security product category, anti-botware: Symantec will roll out Norton AntiBot, a real-time bot detection and removal software package.


Monday, July 16, 2007

Log management in the age of compliance

Organizations are turning to logs to provide a continuous trail of everything that happens with their IT systems and, more importantly, with their data.  If a disgruntled employee with an intent to steal data accesses a database containing confidential information, there would likely be a log of that activity that someone could review to determine the who, what and when.  Routine log reviews and in-depth analysis of stored logs are beneficial for identifying security incidents, policy violations, fraudulent activity and operational problems shortly after they have occurred, as well as for providing information useful for resolving such problems.  Given the inherent benefits of log management, it is not surprising that log data collection and analysis is generally considered a security industry “best practice.”  Some of these regulations rely on National Institute of Standards and Technology Computer Security Special Publications (NIST SP) to delineate the detailed logging requirements.


IT Security: The Data Theft Time Bomb

Despite the billions of dollars spent on information security products, the aggressive patching and repairing of operating systems and applications, and the heightened awareness of the need for computer users to guard against identity theft, most organizations aren’t feeling any more secure than they were a year ago.  InformationWeek Research’s 10th annual Global Information Security survey, conducted with consulting firm Accenture, shows that two-thirds of 1,101 survey respondents in the United States and 89% of 1,991 respondents in China are feeling just as vulnerable to security attacks as last year, or more so.  Contributing to this unease is the perception that security technology has grown overly complex, to the point where it’s contributing to the problem.  The No. 1 security challenge identified by almost half of U.S. respondents is “managing the complexity of security.”


Friday, July 13, 2007

Financial Institutions Warned New Fast Phishing Kit Found

With the recently discovered “plug and play” phishing kit, a relatively “non-technical” person with the right information could launch a phishing attack against any financial institution.  No technical expertise is needed by the phisher, and it is far less risky as the remote host is only accessed once,” said Marc Gaffan, director of marketing with RSA’s consumer solutions group.  The new “plug-and-play” phishing kit reduces the time and effort required of the fraudster by automating the site installation process.  The “kit” is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site.