Cyber Security Institute

Wednesday, August 29, 2007

Security Economics

Salaries for IS practitioners have been rising constantly, the market for security products and services is much bigger than it was five or ten years ago, and more firms are entering it.  Years ago it was pretty blunt, concentrating on web defacements and Denial of Service takedowns “the hackers are coming”.  Now, sleek statistics from reputable firms or institutions are used, so the language has also become more grown up: “organizations should secure,”, “we must ensure that every piece of critical information in a company is appropriately secured”, etc.  The problem with these approaches is that the need for security is not personalized enough to trigger a buying decision.


Friday, August 24, 2007

Intel puts more hardware security in vPro line

After months of hyping, Intel is rolling out an update to its vPro technology featuring improved hardware-based security and manageability tools for its chips.  The latest rev of vPro will see the introduction of Intel’s hardware-based Trusted Execution Technology (TXT), which the company says will defend PCs against attacks aimed at stealing sensitive information.


VOIP Security Requires Layered Approach, Experts Say

A combination of technology and education helps address VOIP threats, security professionals say.  Voice-over-IP deployments are expected by some to be targeted by attackers more as the number of organizations utilizing the technology increases, with phone phishing in particular becoming a greater threat.  An example of a phone phishing scam would be an attacker sending a spoofed e-mail instructing the customer to call a phone number to reactivate his or her bank account.  “Voice is an inherently trusted communication and consumers are not conditioned to distrust the phone in the same manner that they do unsolicited e-mail,” said Victoria Fodale, an analyst at research firm In-Stat.  Effectively combating VOIP threats requires applying the same best practices governing Internet security, she added.


Honeypots as sticky as ever

Longtime readers of the author’s column know what a honeypot proponent he is.  He runs several around the world, collecting information on malware and malicious hackers, and he think every company should have one.  Companies should have a honeypot, not to learn hacker and malware tricks, but as an early warning system.  All computer security defenses will ultimately fail.  And if they fail and a bad thing gets by your defenses, what’s the next best thing?  Take a box you’re getting ready to throw away, and make it a honeypot.


Thursday, August 23, 2007

Minister for Information Technology Awais Ahmad Khan Leghari

Minister for Information Technology Awais Ahmad Khan Leghari Thursday said the adoption of cyber crime bill by the federal cabinet was a major step towards ensuring a secure business environment and
promotion of e-commerce.


Wednesday, August 22, 2007

Unencrypted networks threaten data security

Almost 40 per cent of UK organisations admit to protecting less than a quarter of their network traffic, according to the annual security survey conducted by SafeNet.  The report revealed that five per cent of UK organisations have no security measures at all to protect the data crossing their networks, a slight improvement from six per cent in 2006.


Security SaaS maturing fast

Security technologies delivered via the SaaS (software-as-a-service) business model may still be in their nascent stage, but some early adopters are already piecing together multiple offerings to outsource a significant portion of their IT systems defense infrastructure.  One such company is Imperial Chemical Industries, the massive London-based maker of paints and chemicals that is in the process of being acquired by industrial conglomerate Akzo Nobel to the tune of $16 billion.  With worldwide business operations and an annual research and development budget approaching $60 million, the chemicals giant is spending more effort than ever before in securing its assets and data, company officials said.  However, utilizing a handful of SaaS applications—including vulnerability scanning tools offered by Qualys, e-mail and anti-spam filtering from MessageLabs, and Web filtering provided by ScanSafe—IT executives at ICI claim they are maximizing personnel and budget in a manner that traditional on-premise security products wouldn’t allow.  With five years of security SaaS experience under its belt, ICI is beginning to see the long-term promise of the services offerings, according to the executive.But the company is also cognizant that despite the benefits of moving to SaaS services, some elements of its network and data security must always remain on-site.


‘Off-Network Data’ Is Major Security Threat For Companies

A new study shows that 73% of companies have had a data loss in the past two years, but they’ve made only limited efforts to shore up their defenses and their protect data.  According to Ponemon, the study showed that 62% of those surveyed said they are unsure if their off-network equipment contains unprotected sensitive or confidential information, while 39% do not view managing this equipment as a critical security step.


Hacking Germany’s New Computer Crime Law

Be careful what you joke about at the water cooler in Germany these days—even a dig about a password stuck to a PC monitor could be considered breaking a new anti-hacker law that went into effect this month.  Under the new law, such a joke could be construed as making the password “accessible.”  If a customer tells a sales clerk at a German office supply store that he’s going to use his newly-purchased Windows XP software to hack into a bank, the clerk could get busted for selling him the OS.  These are the types of extreme scenarios being playe d out over and over by German security vendors and researchers who are still trying to figure out just what the controversial new Section 202c StGB of the country’s computer crime laws really means to their business and their research.  Many security people say the law is so flawed and so broad and that no one can really comply with it.


Tuesday, August 21, 2007

Security remains mobility’s weakest link

From top-level execs to workers in the field, enterprise end-users are growing increasingly dependent on anywhere, anytime access to essential corporate data and apps. As such, the call for an effective, business-critical mobile initiative is fast becoming the norm for organizations of all sizes.  But with greater exposure to information technology assets comes greater information security risks.  And just as enterprises replace conventional mobile phones with newer handhelds that offer datacentric tools and access to sensitive information, IT departments are increasingly being forced to retool their data defense requirements to account for smartphone and PDA use.



Mobile Workers Think Security Is IT’s Job, Study Reveals

Workers on the go are opening suspicious e-mails and hijacking neighbors’ wireless connections, but 73% put the security responsibility on the IT department.  Forty-four percent of mobile users questioned in a survey this spring said they open e-mails and attachments from unknown or even suspicious senders.  According to the study, 73% of mobile users said they are not always aware of security threats and best practices when working on the go.