March 2005 – Page 11 – CyberSecurity Institute

Tech Heavies Throw Weight Into Compliance

Posted on March 7, 2005December 30, 2021 by admini

The group, made up of Oracle (Quote, Chart), Hewlett-Packard (Quote, Chart), Veritas, Sun Microsystems (Quote, Chart), Open Text, Hitachi Data Systems, Network Appliance (Quote, Chart) and Plasmon, expects to have resources available on the Internet Law & Policy Forum (ILPF) Web site in the next six months.

The ILPF is a non-profit organization that provides a neutral forum for challenges posed by the Internet on law, policy, technology and businesses worldwide.

The CMEI site will host documentation on best practices for information retention and maintenance regulations, provide counsel and exchange information with various businesses, legislative bodies and regulatory agencies in various workshops, and publish checklists and summaries of legal and regulatory requirements for interested companies.

Those sorts of conflicting policy goals, as well as some of the weak language found in ambiguous regulations was the main reason for the formation of the working group, according to Harald Collet, CMEI chairman and Oracle records management and compliance support product manager. With businesses focused on complying with the deadlines of specific regulations, he said, such as Sarbanes Oxley, they now have to work on building a framework that is more all-encompassing.

Collet points to research conducted recently by AMR Research, which said companies would spend $6.1 billion in 2005 just to gain compliance with the regulations contained in the Sarbanes-Oxley Act; of that $6.1 billion, $1.7 billion will go toward the technology that helps companies meet compliance standards. But while companies within the working group would stand to gain from selling their products directly to customers — Oracle sells software like its E-Business Suite 11i.9 to help get companies in line with regulations like Sarbanes Oxley and HIPAA — Collet said the goal of the working group is to help customers by finding the best answers for them.

“The vendors that are involved in this all go into it with a spirit of trying to address the technology issues around this,” he said, “and I think that everyone who is involved in trying to solve this issue on the vendor side, they have an interest in clarifying the obligations and issues and pointing the way towards technology solutions that can help with this; it’s a win-win for everyone.

Collect said membership is open for any vendor looking to join the CMEI working group, after paying the admission price of $10,000.

http://www.techweb.com/wire/security/159400873

No Glee for VoIP

Posted on March 5, 2005December 30, 2021 by admini

But while opinion about the suitability of the latest telephony technology, the Voice over Internet Protocol (VoIP), has been vacillating between whether to adopt it or not within financial institutions, Nymex is holding firm in ruling out the possibility of using the technology for now.

When Nymex officials opted for a digital voice network to replace the legacy V Band analog turret system, they explicitly opted out of using VoIP for the more than 700 trading turret positions. According to John Barbara, director of telecommunications for the IS department of Nymex, the exchange chose the BT ITS voice trading system over a similar offering from rival IPC Information Systems. “Both BT and IPC came up with a four-handset solution, so we put two four-handset turrets in each booth.

Nymex chose the BT ITS solution for its 450 trading position on the Nymex trading floor, where traders deal in energy, crude oil, gasoline, heating oil, natural gas markets and platinum group metals. Nymex also purchased and implemented 290 positions at its sibling Comex division, where traders deal in gold, silver, copper and aluminum.

http://db.riskwaters.com/public/showPage.html?page=210399

Survey: Patch Management An Ongoing Challenge For Many Companies

Posted on March 4, 2005December 30, 2021 by admini

The biggest problem when businesses are hit by a virus is user downtime.

The survey, completed last month by research firm InsightExpress and commissioned by SupportSoft Inc., a developer of software for managing software updates, portrays patch management as an ongoing issue that poses a variety of risks.

For example, patching still takes a week or longer at about a quarter of companies. That compares with 19% of respondents who say their IT organizations distribute patches to all computers within hours and 57% that do the job in days.

When asked how well prepared their IT organizations were for a virus attack, three-quarters are only “somewhat prepared,” compared with 21.3% that are completely prepared.

“It shows companies are struggling to get a handle on patching,” says Michael Cherry, an analyst with Directions On Microsoft.

The biggest concern among survey respondents is spyware, cited by 25%, followed by viruses and other kinds of malicious software. The most difficult part of patch management is an inability to update all systems with a single patch (24% of respondents) and the sheer number of patches that need to be distributed each month (21%).

Keeping up with Microsoft’s monthly security bulletins and associated software patches has been a challenge for some IT departments. In February, Microsoft issued a dozen security bulletins that addressed 17 vulnerabilities in Windows or its other products.

The negative effect most associated with viruses is end-user downtime, cited by 43% of respondents to the InsightExpress survey.

Chris Grejtak, senior VP of products and marketing with SupportSoft, says the survey underscores that remote and mobile computers are particularly hard to keep updated.

Microsoft’s Systems Management Server 2003 is used by some large companies to distribute updates to Microsoft products

http://www.securitypipeline.com/news/60405613;jsessionid=SUEDHZPSUU2BWQSNDBCCKHSCJUMEKJVN

McAfee Revamps Hosted Antivirus Service

Posted on March 4, 2005December 30, 2021 by admini

Available only to solution providers in McAfee’s SecurityAlliance partner program, the new Partner Security Service gives solution providers a more flexible contract under which to work and offers expanded upselling opportunities, the partners said.

Based on the latest McAfee Managed VirusScan technology, the new service is a revised take on McAfee’s VirusScan ASaP, which has long prompted complaints from partners.

Dave Roberts, McAfee’s senior vice president of channels for North America, described the new service as “ideal” for businesses with limited IT expertise or personnel. “This service enables our channel partners to become managed service providers,” he said.

The Partner Security Service features a Web-based policy configuration tool that enables solution providers to manage multiple customers, schedule on-demand security scans and push out new capabilities, Roberts said.

“This new service takes care of everything for them and makes us look like geniuses.”

http://www.informationweek.com/story/showArticle.jhtml;jsessionid=5CWAFMGITIQIIQSNDBCCKH0CJUMEKJVN?articleID=60405775

Linux Security Rough Around The Edges, But Improving

Posted on March 3, 2005December 30, 2021 by admini

For more than a decade, the National Security Agency has worked on a way to use a computer’s operating-systems to control where software applications and their users can access data within IT environments. The agency succeeded years ago in creating such “mandatory access control” features for specialized operating systems, but very few users had the access or inclination to deploy them.

“Quality of (software) code is crucial to the security of this nation,” Dickie George, technical director of NSA’s Information Assurance Directorate, said Thursday at an SELinux symposium. George added that the directorate’s mission is to research and develop the technology and processes that industry can use to protect itself, and critical U.S. infrastructure, from cyberattacks.

Debian, Novell, and Red Hat, three major distributors of the Linux operating system, only have recently released their own packages built on version 2.6 that allow customers to take advantage of some SELinux features.

Red Hat’s mid-February release of Red Hat Enterprise Linux 4—based upon the SELinux-friendly version 2.6 kernel—is an attempt to marry high-level security features with the basic operating system, says Donald Fischer, senior product manager for Red Hat Enterprise Linux.

http://www.informationweek.com/story/showArticle.jhtml;jsessionid=5CWAFMGITIQIIQSNDBCCKH0CJUMEKJVN?articleID=60405086

Security layers improve Wi-Fi defenses

Posted on March 3, 2005December 30, 2021 by admini

Speaking at the Wireless/RFID Conference and Exhibition in Washington, D.C., Kwon said the most secure layered approached would use the latest wireless grid technologies in combination with wireless intrusion-detection systems.

Because of the insecurities inherent in wireless technologies, a lot of fear exists, said Capt. “We’re a rather risk-averse bunch,” she said.

But attitudes toward wireless networks are changing as Defense Department officials learn more about managing risk with new technologies, she added. Few agencies, he said, are using layered security or “defense in depth” correctly when deploying wireless technologies. And on the policy side, he said, agencies need to ask who has the authority to accept risk for the organization when people begin using such technologies.

Wireless expert Bill Neugent, chief engineer for cybersecurity at Mitre, a nonprofit engineering organization, said that the proliferation of wireless technologies such as radio frequency identification chips and nanoscale “smart dust” will cause both privacy losses and productivity gains.

According to other wireless experts who offered tips on security technologies and policies, open-source products are the most popular for auditing the security of wireless networks. For the most part, wireless networks become open to attack because administrators fail to properly configure wireless access points with password protection, use no encryption, have no virtual private network protection, and do not disable the infrared ports and peer-to-peer features of their wireless networks, Kwon said.

http://www.usatoday.com/tech/news/computersecurity/infotheft/2005-03-02-security-layers_x.htm