September 2007 – CyberSecurity Institute

Cisco keeps up the NAC beat

Posted on September 18, 2007December 30, 2021 by admini

Cisco’s NAC Appliance is doing reasonably well providing self-service remediation for non-compliant endpoint configurations. The primary market for NAC Appliance is still higher education – this may help Cisco sell security into the corporate ISR base.

Network managers can use this capability to have near real-time views of what’s connected to their network. The products actually do good things in a Cisco context, except that NAC Profiler requires NAC Appliance.

http://www.computerworld.com/blogs/node/6201

Gartner: Antivirus is biggest security expense

Posted on September 15, 2007December 30, 2021 by admini

Antivirus software will account for more than 50 percent of the total security software revenue market in 2007, according to the calculations by analyst Gartner.

Gartner principal research analyst Ruggero Contu said that traditionally, the security software market has been dominated by “best-of-needs” vendors, but the market is now starting to see a gradual consolidation around fewer players.

http://www.news.com/Gartner+Antivirus+is+biggest+security+expense/2100-7355_3-6207989.html?tag=ne.fd.mnbc

Data Disconnect: Do You Know Where Your Mobile Devices Are Tonight?

Posted on September 15, 2007December 30, 2021 by admini

“Our research shows that, while most companies (including financial institutions) recognize the risk off-network data poses, few seem to have a grasp on how to manage the many challenges off-network data present to maintaining a strong data security program, and many do not even have a policy to address the situation.”

62 percent of study respondents confirm or are unsure if their off-network equipment contains unprotected sensitive or confidential information; At same time, 39 percent do not view the management of off-network data bearing equipment a critical component to security; 70 percent of data breaches result from the loss of off-network equipment; and, 30 percent say they would never detect the loss or theft of confidential data from off-network equipment.

http://www.bankinfosecurity.com/articles.php?art_id=571

Insider Threats Increase, But Damage Is Minimal

Posted on September 14, 2007December 30, 2021 by admini

The Computer Security Institute’s annual Computer Crime and Security Survey, which is scheduled for release later this week, reports that insider attacks have now surpassed viruses as the most common cause of security incidents in the enterprise.

Nearly 60 percent of respondents have experienced insider-related events in the past 12 months, while only 52 percent of companies reported a virus incident.

Yet while the average annual cybercrime losses per company more than doubled in the past year, almost two thirds (63 percent) of respondents said that losses due to insider-related events accounted for 20 percent or less of those losses.

Fifty percent cited the loss or theft of laptop or mobile devices, while 25 percent cited misuse of instant messaging services.

Another 25 percent said they had experienced “unauthorized access to information” in the past 12 months, and 17 percent said they have suffered loss or theft of customer/employee data.

“A great deal is made of the insider threat, particularly by vendors selling solutions to stop insider security infractions,” the report observes.

Some 30 percent of respondents stated that, despite new laws concerning breach disclosure, they experienced at least one incident that was never reported outside the organization.

Twenty-six percent said they did not report their incidents to law enforcement because of fears of negative publicity.

http://www.darkreading.com/document.asp?doc_id=133762&WT.svl=news2_5

Email Encryption Gets Easier

Posted on September 14, 2007December 30, 2021 by admini

Remember the OpenPGP and S/MIME email encryption wars? Back then, it was all about which encryption protocol would become the standard for protecting email messages from prying eyes. The headache and complexity of using encryption keys for messaging wasn’t appealing to the typical organization or end user. “The way a traditional PKI works, it’s useless to make the majority of information workers send and receive email” with it, says Richi Jennings, an analyst with Ferris Research.

But email encryption technology is actually getting easier to deploy and manage today, with new approaches such as identity-based encryption (IBE) from companies like Voltage Security and Identum that match users to their more tangible email addresses or logons.

So far, email encryption is still mainly used by organizations with highly sensitive missions or information, or paranoid security types who know too much. But enterprises, especially those under the heaviest regulatory microscopes like healthcare and financial services, are starting to look more closely at email encryption.

Aside from Voltage Security’s SecureMail, which uses a special algorithm that turns a user’s logon or email address into a public/private key pair, email encryption pioneer PGP yesterday rolled out a new feature for its PGP Universal Gateway product that lets you send encrypted mail to an organization or recipient that doesn’t have secure messaging. “It’s [email encryption] becoming more usable,” says Christopher Gervais, enterprise architect for Partners HealthCare System, a Boston-based network of hospitals and research labs, who says email encryption may be an option for the company in the near future.

“Some of the email encryption experience for end users has become more integrated — there’s no more goofy manual certificate management, or [having to decide] do I encrypt this or that. Integro Insurance, for instance, runs Voltage’s appliance for internal email among its 13 locations worldwide, and then with a Web-based setup for external messaging. “Encryption has to be painless or people are not going to do it,” says Fred Danback, principal and head of global technology services for Integro Insurance Brokers. “The [win] was largely due to the security of our infrastructure and our ability to send and receive encrypted messages.” “That’s not what encryption maestros call desktop-to-desktop, but it means certain email is not going unencrypted over the public Internet.”

http://www.darkreading.com/document.asp?doc_id=133830&WT.svl=news1_4

CA Data Protection Rule Moves Forward

Posted on September 8, 2007December 30, 2021 by admini

The bill would provide notice to consumers, telling them which retailers lost their credit or debit card information, and when the information was lost. It would require retailers responsible for data breaches to assume all costs of consumer notification and card replacement. It also would require retailers to follow key provisions of the payment card industry data security standards to ensure proper retention and protection of credit and debit card information. “Passage of this legislation is a great example of credit union teamwork and demonstrates the strength of our comprehensive advocacy efforts,” California Credit Union League President and CEO Bill Cheney said in a statement. “It is extremely gratifying to credit unions that the state Senate has approved the bill by such an overwhelming margin.”

The California Retailers Association opposes the bill. The group took out a political ad in the Sacramento Bee, with support from the California Bankers Association. It claimed that credit unions are exempt from the data security provisions.

The CCUL said they already meet those requirements under existing laws.

The full text of the bill is available online through the California Legislature’s Web site.

http://www.darkreading.com/document.asp?doc_id=133382