Cyber Security Institute

Tuesday, October 30, 2007

After a Data Breach

the tangle of state notification laws can be exasperating—and costly.  There are already more than 30 different notification requirements on the books.  With more than 30 state data-disclosure notification laws now on the books, officials at many companies doing interstate business are hoping that cohesive national legislation will smooth out the nuances among differing statutes.


Friday, October 26, 2007

Visa rolls out new payment application security mandates

Amid signs of growing frustration in the retail community over the credit card industry’s Payment Card Industry (PCI) data security requirements, Visa on Tuesday quietly rolled out an additional set of Payment Application Security Mandates for all companies that handle credit and debit card transactions.  Under the multiphase initiative, covered entities will have three years to ensure that all their payment applications are compliant with a set of security requirements mandated by Visa (download PDF).


Tuesday, October 16, 2007

Better IT Security Doesn’t Mean Spending More

IT managers trying to figure out how much money to budget for information security purposes each year might want to take note of some recent advice from Gartner Inc.: According to the Stamford, Conn.-based analyst firm, despite the growth in targeted attacks and the continuing discovery of new vulnerabilities, almost 90 percent of the threats companies face today can be handled without any extra investment in security.  Instead, companies need to reduce some of the money they’ve spent over the past few years protecting against mass attacks—redirecting those freed-up resources to confront more narrowly directed emerging threats.


Nine out of ten websites have serious vulnerabilities

Based on more than a year of data, this is the industry’s only report focused solely on previously unknown vulnerabilities on publicly facing websites.  The report shows that nine out of ten websites have serious vulnerabilities that make them targets for malicious online attacks.  Cross-site Scripting (XSS) remains the top vulnerability class, appearing in approximately three quarters of websites, while Information Leakage is the top vulnerability class of the overall population.


Saturday, October 13, 2007

F-Secure: User education no security solution

Education is not a viable solution for preventing security issues, according to Patrik Runald, F-Secure’s senior security specialist.


Friday, October 12, 2007

Survey: Office workers still the greatest security threat

Businesses still consider desktop users to be the biggest security risk to their networks, despite increased concern over outsourced labor and remote users.  Such users were considered the greatest threat to security by 44 percent of respondents.


Security spending soars

A poll of 1,070 organisations commissioned by the Computing Technology Industry Association (CompTIA) found that spending on information security has increased markedly over recent years and shows no signs of letting up.  Even taking into account increased spending on security to meet tougher compliance regimes, CompTIA figures are much higher than those of other security watchers.  Gartner, for example, predicts that security spending will rise to 9.3 per cent in 2007.  Nearly half of the survey respondents said they plan to increase spending on security-related technologies this year.


Thursday, October 11, 2007

Bringing Security into the Development Process

Vendors and analysts warn that the open culture of application development can lead to security vulnerabilities and data leaks.  When it comes to data leaks, most of the talk is about hackers breaking into networks or employees e-mailing and downloading sensitive information.  But some vendors are paying more attention to the preproduction environment, where there are often security holes big enough to push a hard drive through.  “The development environment and quality assurance environment have always been…significantly more open and free,” said Louis Carpenito, former vice president of information security business strategy at Symantec.


Tuesday, October 09, 2007

Gartner’s top 10 strategic technologies for 2008

Whether you incorporate these technologies or not, they’re not going away, the research firm says.  Gartner Inc. has put “Green IT” at the top of its list of 10 strategic technologies for next year, and the research firm says that if businesses don’t improve data center energy efficiency, the government may force them to do so.  But social networking technologies are also on the list, along with some further-off technological developments, such as server designs that use a resource-sharing approach called a computing fabric.


Monday, October 08, 2007

The top 10 reasons why Web sites get hacked

Web security is at the top of customers’ minds after many well-publicized personal data breaches, but the people who actually build Web applications aren’t paying much attention to security, experts say.


IT Budget Agenda 2008

Spending for IT goods and services is expected to grow next year, as organizations enter a new phase of technology acquisition.  In 2008, IT will experience an 8 percent increase in spending over 2007 purchasing budgets—-that’s 3 percent more than in 2007, said Andrew Bartels, an analyst at Forrester Research, in Cambridge, Mass.  For 2008, spending patterns are expected to begin to change, as companies focus more on increasing productivity than in cutting costs.  “Forrester talks about two periods of technology acquisition, which we call ‘tech digestion’ and ‘innovation growth,’” Bartels said.


Friday, October 05, 2007

Top Five Threats for 2008

In 2008, the number of user machines that become bot-infected will be one in 10 or greater, according to the Georgia Tech Information Security Center (GTISC), which earlier this week released a report on the main threats for next year.  Tens of millions of computers—about 10 percent of those connected to the Net—are already acting as bots in botnets today, the GTISC says.  The other threats that will evolve and increase next year are Web 2.0 and client-side attacks; targeted messaging attacks; mobile attacks; and attacks on RFID systems, the GTISC says.