The first GPS policy update in eight years strongly reaffirms the U.S. commitment to GPS technology, a positive signal for companies that develop, market and export related products for commercial, scientific and military uses. The United States will begin an aggressive promotion and tighter coordination oversight of its Global Positioning…
Month: December 2004
DHS Audit Unearths Security Weaknesses
In a report made public this week, the Office of Inspector General in the DHS warned that the audit turned up weaknesses in the systems used to avoid unauthorized access.
“Due to these remote access exposures, there is an increased risk that unauthorized people could gain access to DHS networks and compromise the confidentiality, integrity, and availability of sensitive information systems and resources,” the report said.
The OIG also discovered that the DHS does not provide adequate or effective system security controls over remote access to its computer systems and data.
“In assessing the effectiveness of remote access controls, we identified several problems related to remote access host configurations, system patching, and the control of modems.
On the findings that system patches were not applied, Cooper said that all of the patches identified in the audit were in testing to be implemented.
http://www.eweek.com/article2/0,1759,1743639,00.asp?kc=EWRSS03119TX1K0000594
Yankee Group Sees Open-Source Indemnification Nightmare
“A corporate Linux or open-source user that lacks indemnification and product warranty will expend its own time, money and resources fighting legal action,” said Laura DiDio, senior analyst for application infrastructure and software platforms at The Yankee Group. DiDio said that in the absence of indemnification or specific indemnification provisions, corporations could be the target of an intellectual property lawsuit that they would be forced to defend using their own money and resources.
In some cases, such as free open-source software, beta test software, steeply discounted software or software produced by nonprofits, the vendor may not realize enough of a profit to justify the cost of indemnifying its customers, DiDio said.
“Novell believes open-source software poses no greater risk of intellectual property infringement than does closed-source software, something this Yankee press release certainly doesn’t convey,” said Bruce Lowry, public relations director at Novell. “There’s been a lot of noise in the market around this issue of late, fanned by Microsoft and actions like this from the Yankee Group, but we’re not aware of any patent claim being filed against an open-source offering,” Lowry said.
“Prior to the announcement of blanket and total indemnification, if any user of Microsoft’s software was sued for patent infringement, the incentives would preclude Microsoft from abstaining and leaving their customer on their own, because if the customer lost, that would set precedent against the same Microsoft software used by anyone.”
Therefore, “in order to prevent the software from being stopped, Microsoft would—even without having given an indemnification—want to be involved with any case where its software is accused of infringement in order to protect, not its customer per se, but its software,” Ravicher said.
http://www.eweek.com/article2/0,1759,1743663,00.asp?kc=EWRSS03119TX1K0000594
Survivor’s Guide to 2005: Security
Intrusion detection systems–the primary source of warnings that attacks are under way–are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files.
The mission of IDS is changing, however. Many IDS vendors are improving their products so that the IDS doesn’t simply give you the details on an event that has occurred. Instead, the system will help prevent intrusions from happening in the first place.
Even within the reporting realm, IDS is becoming more active as anomaly detection, vulnerability assessment and forensics come under the broad label of IDS’s reportable events. The growing number of attacks and attack types makes it more important for the IDS to correlate with logs and reports from other network-security components for context and ease of interpretation.
Schemes such as Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP) have, among many other capabilities, IDS and firewalls sharing some of the features of an IPS (intrusion prevention system), with the IDS feeding control information to a central authority, which then gives instruction to the firewall for connection reset and address blocking.
Last year, the verdict on IPSs was “don’t believe the hype.” As a piece of a multilayer security approach, an IPS can join the IDS, enterprise firewall, desktop firewall and application firewall to protect your key network assets.
For some, the blocking of even one piece of legitimate traffic is unacceptable.
As an incremental tool that can help cut down on the volume of attack traffic, intrusion prevention from vendors including Check Point Software, Internet Security Systems, Lucid Security, Radware and Tipping Point should be seriously explored in 2005.
The various governmental regulations, including HIPAA and GLB, make it business-critical for a company to protect customer and patient data from any theft or intrusions, and make it just as important that the company demonstrate that the protection is in place and effective.
Outside the conventional perimeter, software firewalls installed on mobile clients help move protection outside the bricks and mortar of the corporate boundaries, to slow the spread of mal-ware that can gain entry in Starbucks, traverse a VPN and run loose in the network core.
The intelligent integration of security functions, controlled by software that enforces intelligent policies, will be one of the great migrations of the year. Ask any vendor claiming to have an enterprise policy framework how many companies have partnered with them to let their products be queried and/or controlled by the central management console. The partnership issue should be more readily resolved by the industry giants that have introduced their own policy and access-control systems.
Both Cisco Systems with its NAC and Microsoft with NAP are building network-control frameworks on the basis of technology and products that are in the field, though neither company expects to have production deployments before the middle of the year.
At the same time, agencies and organizations have begun the work of building standards–the National Institute for Standards and Testing published ANSI INCITS 359-2004 (for role-based access control) in February 2004, and other organizations have committees beginning to look at the requirements for standards.
Although, in some ways, authentication is the boring brother-in-law of the security world, there is room for excitement as the world moves closer to the promised nirvana of single sign-on.
To comply with regulations, data must be protected from external threats and even successful intrusions cannot result in the release of protected data. Therefore, IDS and IPS must look at traffic flowing in both directions in order to defend the database and its supporting applications from giving up critical data.
Data storage devices that can take data away are also a significant concern. “Thumb drives,” small USB storage devices, have replaced floppy disks as the portable storage medium of choice for mobile professionals carrying presentations, software updates or small applications from office to office.
Instead of network security, more professionals are becoming involved in data assurance, network assurance or even business assurance, helping to protect the information against network intrusion, physical disaster or device theft.
http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml;jsessionid=SLLOOGDEM1DNQQSNDBGCKH0CJUMEKJVN?articleId=55800918
Symantec will buy Veritas for $13.5B in stock
The deal values Veritas at around $13.5 billion, they said.
By joining forces, Symantec will be able to help enterprise customers secure their information better, the companies said.
Symantec Chairman and Chief Executive Officer John Thompson will continue in that role, while his opposite number at Veritas, Gary Bloom, will become vice-chairman and president of the combined company.
“This is not your typical merger focused on removing cost and redundant infrastructure,” he said. Bloom will take day-to-day responsibility for sales, service and support”, Thompson said.
For his part, Bloom said that a single company that can both secure its customers’ data, and make that data more available, represents a unique value proposition.
How long such integration will take is an unanswered question, as the people who will do the programming have been kept in the dark about the deal until now, according to Thompson.
The companies expect to report $5 billion in combined revenue in their first financial year together, from April 2005 to March 2006, according to Symantec’s Chief Financial Officer Greg Myers.
The previous week, it announced plans to acquire intrusion system Platform Logic of Glenwood, Maryland.
This latest deal dramatically extends and strengthens Symantec’s offering to enterprises, according to Richard Ptak, an analyst with Ptak, Noel & Associates, commenting on the deal via e-mail.
Veritas has so far failed to capitalize on its 2002 acquisitions of Jareva Technologies and Precise Software Solutions, but the deal with Symantec will give it a second chance to apply these technologies, drawing on the greater experience and financial resources of the merged company, Ptak said. Ptak wondered whether Computer Associates International or BMC Software would have been a better target.
BMC, in particular, would have given Symantec a solid position in the systems management market — and may still be a target if it is on the market by the time Symantec swallows Veritas.
http://itproductguidebeta.infoworld.com/article/04/12/16/HNsymantecbuyveritas_1.html
Microsoft may charge extra for security software
In a shift from past practice, the world’s largest software manufacturer said it may charge consumers for future versions of the new protective technology, which Microsoft acquired by buying a small New York software firm.
Microsoft, whose Windows operating systems have often been criticized for lax security, traditionally has given consumers — at no charge — separate programs to improve security.
The company’s upcoming tool, available for its Windows XP and Windows 2000 software, will sweep for spyware and offer to remove suspicious programs.
Rival anti-spyware tools, such as Lavasoft Inc.’s popular “Ad-Aware” product, offer similar functions and many are free.
Microsoft’s disclosure that it may eventually charge extra for Windows protection reflects a recognition inside the company that it could collect significant profits by helping to protect its customers. Microsoft and some others, meanwhile, said blame should be directed instead at spyware manufacturers.
http://www.cnn.com/2004/TECH/internet/12/16/microsoft.spyware.ap/index.html