Just want to see an even briefer summary… Well now, we have the summary page: Summary Page Same content… Just faster to scan. Hope you enjoy and any comments feedback is really appreciated.
WinFS Axed From Longhorn Client and Server
The Windows File System (WinFS) — technology that was set to simplify information storage and retrieval — won’t make it into the final, shipping versions of Longhorn client, company officials confirmed.
Longhorn is still slated to include both the Indigo and Avalon subsystems, contrary to some rumors to the contrary over the past couple of days. And Microsoft is still expecting to deliver as part of Longhorn updated “fundamental” application-programming interfaces providing core power management, driver management, application installation/deployment, digital rights management and other basic tasks.
http://www.microsoft-watch.com/article2/0,1995,1640454,00.asp
Security appliances add dynamic profiling to firewall technology
SecureSphere 3.0 includes multiple layers of security, including a standards-based deep inspection firewall, Web and database firewalls, and protection from zero-day worms via Imperva’s new Worm Profiling technology.
The Dynamic Database Firewall, meanwhile, relies on the database elements of the dynamic profile to detect unusual database queries.
http://zdnet.com.com/2110-1104_2-5323921.html
Joint Forum Issues High-Level Outsourcing Principles
The principles are intended to guide firms and regulators to maintain high standards of corporate governance and risk management in an environment of rapid IT innovation and a high reliance on external service providers.
The Joint Forum consists of the Basel Committee on Banking Supervision, the International Organization of Securities Commissions, and the International Association of Insurance Supervisors.
In summary, regulated entities should:
– Assess whether and how activities can be appropriately outsourced, under the aegis of the board of directors.
– Establish a comprehensive outsourcing risk management program.
– Prevent outsourcing from impeding regulatory supervision or disrupting customer obligations.
– Conduct appropriate due diligence when selecting third-party service providers.
– Use written contracts to govern all material aspects of outsourcing relationships.
– Establish and maintain contingency plans with service providers.
– Ensure that confidential information is protected from unauthorized disclosure.
On the last point, regulators have taken note of the potential vulnerability in having too many banks using too few service providers, or having several banks share a common disaster recovery site.
The report states: “When a limited number of outsourcing service providers (sometimes just one) provide outsourcing services to multiple regulated entities, operational risks are correspondingly concentrated, and may pose a systemic threat.”
The Joint Forum recommends risk mitigation tools including adequate contingency planning by regulated entities, ongoing monitoring and awareness, supervisory programs and risk assessments.
http://www.bankinfosecurity.com/?q=node/view/1593
Wi-Fi Plays Defense
Now that the long-awaited 802.11i standard for enhanced WLAN security has been ratified, can IT assume that WLANs have grown as secure as their cabled counterparts? Much of it has already been available for about 18 months in an 802.11i subset called Wi-Fi Protected Access (WPA). And while standards-based security technology plays a big part in protecting enterprises, the issues reach beyond a signed set of technical specs.
For example, there’s a broad installed base of specialized client devices, such as bar code scanners, that run the MS-DOS operating system. They are not upgradable, even to earlier versions of authentication and encryption, let alone to 802.11i, which requires Advanced Encryption Standard protection. As enterprises expand their WLANs, these legacy devices might well become the weakest link in the wireless security chain.
And some administrators lack confidence in their ability to properly implement the various pieces of WLAN security, particularly since new attacks regularly make headlines. WPA also uses the industry-standard 802.1x framework for strong user authentication. And AES, the U.S. government block-cipher standard for 128-bit data encryption, replaces the RC4 stream-cipher encryption that WEP and WPA use.
Through 2006, 70% of successful Wi-Fi attacks will occur as a result of the misconfiguration of APs and client software, according to Gartner Inc.
This is why the Bethesda, Md.-based SANS Institute, which offers information security training and certification, recommends regular wireless audits. For example, if an enterprise has adopted 802.1x and has selected Protected Extensible Authentication Protocol, one of several available authentication methods, network administrators should regularly check that all APs are indeed configured for PEAP. In addition, airborne packets should be regularly examined using a wireless protocol analyzer to verify that they are actually using the EAP method selected.
Another recommended practice is treating the WLAN as an untrusted network, like the Internet, and putting a firewall or gateway where wireless and wired networks meet.
Most enterprises will select an EAP authentication method based on the type of database they have. Cisco’s broadly deployed Lightweight EAP supports easier-to-manage username/password schemes but is prone to off-line dictionary attacks in shops that can’t enforce strong password policies. LEAP also supports mutual authentication, an 802.11i recommendation, as do PEAP and another common method, EAP-Tunneled Transport Layer Security. Less than 30% of devices in the field are outfitted with mutual authentication today, leaving many deployments exposed.
Even the world’s largest WLAN operator — Microsoft Corp. — isn’t using WPA yet on its 4,500-AP WLAN, built on APs from Cisco Systems Inc. Many of Microsoft’s older APs are first-generation technology and are not WPA-capable. Microsoft is poised to make a wholesale change to its global WLAN infrastructure, which supports about 100,000 unique mobile devices. “11i is our main goal, but we can’t move to it yet because no NICs support it,” says Don Berry, the wireless network engineer who has overseen Microsoft’s global WLAN implementation since 1999. He estimates that less than 30% of devices in the field are outfitted with mutual authentication today, leaving many deployments exposed.
http://www.computerworld.com/mobiletopics/mobile/technology/story/0,10801,95411,00.html?f=x596%3E
Report says Virtually All Big Companies Will Outsource Security By 2010
The need to stay ahead of the hacker curve will drive nearly 90% of big U.S. companies to outsource their security to managed service providers by the end of the decade, a report released Monday suggested.
According to the Yankee Group, businesses will hand over security–initially for perimeter defenses but eventually for inside-the-firewall protection–to managed security service providers to the tune of $3.7 billion by 2008, a jump from 2004’s estimated $2.4 billion.
“Enterprises are outsourcing more technology in general,” said Matthew Kovar, a VP at Yankee Group’s security solutions group.
Enterprises know what they have to do, but more of them will see that [security] isn’t a core competency,” he added, and will hand the reins to a managed security service provider.
Security outsourcing will prove attractive, said Kovar, for reasons other than the cost savings typically cited by companies that farm out business processes.
Among the drivers toward managed services are the accelerated attacks of today’s threats–giving enterprises virtually no time to put up defenses on their own before an attack infiltrates a network–legislative requirements such as HIPAA and Sarbanes-Oxley, and the trend toward pushing out the network perimeter to include partners and remote workers.
These and other factors are outpacing the average company’s ability to keep up with the latest counter-measures and techniques to thwart attacks, Kovar said in his report.
While managed services biggest number of customers are currently those subscribing to anti-spam services, managed firewalls aren’t far behind, said Kovar.
And as the trend continues, other security defenses now solved by hardware, such as intrusion detection and intrusion prevention, will also be shipped out for others to handle.
“One of the easiest managed services to see success is E-mail anti-spam services,” Kovar said.
The vendors that Yankee Group sees in the top tier include TruSecure and Symantec, with Unisys, Netsec, Solutionary, Internet Security Systems, and RedSiren close on their heels.
http://www.informationweek.com/story/showArticle.jhtml?articleID=29116929