January 2010 – CyberSecurity Institute

Enterprises Look for Help Managing Security Logs

Posted on January 21, 2010December 30, 2021 by admini

SIM equipment can centralize event and log management information from security devices and computers, but the drawbacks to its use include up-front costs, complex installations and hiring the expertise to manage it.

SIM as a managed service only started to gain momentum within the past two years, largely due to compliance mandates such as the Payment Card Industry (PCI) data security requirements, says Gartner analyst Kelly Kavanagh. Managed SIM options range from as simple as centralizing log collection and reporting, to as complex as event correlation and round-the-clock security-event monitoring.

Occasionally SIM as a managed service will entail “complex correlation, perhaps related to network alerts from firewalls and switches, information that may seem to be related,” he notes, and a service might provide an analyst to monitor events round the clock. The company directly manages IT for more than 100 of its corporate restaurants, plus keeps track of PCI-related compliance matters for about 160 franchises which operate more independently. Not only did the up-front costs of doing it in-house seem high — SIM equipment can easily reach into the half-million dollar range — but also Fuddruckers realized it would have to hire SIM experts to make it all work.

Largely based on information gleaned from conversations with peers, just over a year ago Pumphrey decided to try SIM as a managed service, selecting Trustwave to monitor about 500 log files at least once daily on behalf of Fuddruckers, triggering an alarm if suspicious events arise.

“We see ourselves as a managed alternative to what customers might want to do themselves with ArcSight or Q1 Labs,” says Dan Schleifer, senior product manager for managed security services at Trustwave, referring to two well-known SIM product vendors.

That’s the approach that service provider FishNet is taking, according to CEO Gary Fish.

Tom Turner, vice president of marketing and sales at Q1 Labs, says it’s comfortable partnering with a managed service provider such as FishNet, viewing the relationship “as potentially offering us a broader market.”

SecureWorks is regarded by Gartner as a “pure play” SIM managed service provider, as opposed to a global service provider that offers SIM among a wider menu of services. The security firm is a veteran in the business, having started about a decade ago.

http://www.csoonline.com/article/print/521466

5 tips for cybersecurity-training your employees

Posted on January 21, 2010December 30, 2021 by admini

When Lauer arrived at the agency, he had a list of more than 20 noncompliance items from Federal Information Security Management Act audits.

Now when users log on to the MCC network, they are greeted by a Tip of the Day awareness training application, which asks a question about IT security. Besides giving managers an easy way to assess the agency’s training program, the daily quizzes have also made employees more mindful of security.

“We’ve had a tremendous reduction in viruses,” Lauer said. “Instead of clicking on things, [users] call the help desk. They never used to do that before.”

But not every agency can report such success. Indeed, experts say the goals of user training efforts are still a long way from being realized. “There is a gap, and the gap is costly because it undermines all the technology being thrown at security problems,” said Keith Rhodes, senior vice president and chief technology officer at QinetiQ North America’s Mission Solutions Group. “No approach to training is infallible because human beings are fallible, and of course, human fallibility is what training tries to counter,” Rhodes said.

Four out of five federal IT managers said they provide ongoing classes on security policies and procedures. But even then, almost half had seen employees post passwords in public places, violating one of the most fundamental security proscriptions. The survey highlights one of the hardest tasks in IT security: changing user behavior. For instance, firewalls won’t prevent an employee from stowing passwords under a mouse pad or engaging in other careless practices.

Security managers and industry consultants say there are a few basic techniques for evaluating the effectiveness of IT security training and improving the odds that the lessons will sink in. At MCC, new employees receive IT awareness training as part of their orientation, and the security tip of the day provides ongoing reinforcement. MCC officials keep tabs on employees’ security awareness by tracking responses to those daily quizzes via a monthly performance report.

Organizations with multiple locations always face a tough challenge when it comes to developing and measuring the success of training programs. The state is 18 months into a four-year initiative that will meld the IT operations of 16 executive branch agencies under the statewide Office of IT. “To get metrics to prove that end-user security is working, you’ve got to be in a consolidated environment,” said Seth Kulakow, Colorado’s chief information security officer. Consolidation will provide the consistency required to gather the correct metrics, he added.

Barr recommends that agencies use internal IT security employees to conduct quarterly vulnerability assessments and external experts for annual vulnerability assessments.

Elsewhere, Colorado’s Kulakow has recommended making an employee’s adherence to security policy part of his or her performance evaluation.

Content filtering and data loss prevention are among the products agencies can use to counteract human nature, said Keshun Morgan, a networking and security specialist at CDW-G.

Tip no. 1: Make employee testing simple and routine
Tip no. 2: Check what they do, not just what they know
Tip no. 3: Put security in personal terms
Tip no. 4: Invoke consequences for misbehavior
Tip no. 5: Always remember the limits of training

http://fcw.com/articles/2010/01/25/feat-cybersecurity-training-a-must.aspx

Product Watch: NitroSecurity Integrates Log Management With SIEM

Posted on January 14, 2010December 30, 2021 by admini

The tools also work with NitroSecurity’s database application monitoring and IPS tools: “We work at Layer 7, so if someone tries to get into the database who shouldn’t,” the security team is alerted, says Jerry Skurla, executive vice president of marketing for NitroSecurity.

Eric Knapp, vice president of technology marketing for NitroSecurity, says SIEM and log management integration has been slow to emerge because of the heavy volume of logs.

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=222300869&subSection=Security+administration/management

IDC Expects A/P Security and Vulnerability Management Market to Achieve Largest Growth in 2010 as Or

Posted on January 13, 2010December 30, 2021 by admini

The security landscape has been seeing new threats growing explosively in number and complexity – attacks that exploit the vulnerabilities of applications, insider sabotages, identity fraud and unauthorized access to corporate systems and networks.

Companies are required to align with international regulations, standards and best practices when collaborating with business partners around the world.

Many of these companies have turned to SVM products to establish a security management framework for various compliance requirements such as policy compliance, log archiving and auditing,” said Judy Wu, Research Manager for IDC Asia/Pacific Security Research.

At the same time, previous purchase and deployment of security products over the years have increased management and integration complexity.

The SVM segment is a key growth area across Asia/Pacific as companies turn to SVM’s capabilities – such as patch management, policy enforcement and security incident analysis and management – to reduce complexity and increase management efficiency.

Compared with the first half of 2008, there was a minor decline in 1H09 for security spending due to the global recession which reared its ugly head at the end of 2008.

We expect companies to continue to find ways and leverage new security technologies such as policy and IT compliance suites, as well as vulnerability assessment and risk management products to increase management efficiency.

http://www.idc.com/getdoc.jsp?pid=23571113&containerId=prHK22160710

Virtualization security remains a work in progress

Posted on January 11, 2010December 30, 2021 by admini

One development that occurred this year is the release of VMware’s security APIs. After talking up the idea since February 2008, VMware in April 2009 finally released its VMsafe APIs intended to help security vendors build products to work with its platform.

“We’re not using the VMware APIs today due to performance,” says Richard Park, senior product manager at Sourcefire, which in early December shipped its first virtualized sensor and management console for VMware ESX and vSphere4. Sourcefire’s traditional physical appliances are network sensors that can do both intrusion-detection monitoring and intrusion-prevention blocking. But at this point, the Virtual 3D Sensor and Virtual Defense Center will only provide monitoring visibility into VMware’s ESX hosts, not blocking of attacks.

At the Gartner ITExpo in October, Gartner Vice President Neil MacDonald publicly excoriated some security vendors for not moving more rapidly to come up with software-based virtual appliances, insinuating they would rather stick to their old ways of selling expensive hardware boxes. Enterprise customers are rapidly virtualizing their IT environments and often unwittingly creating less-secure results even as they reap the many benefits of virtualization, MacDonald says. Roping off virtualized servers with virtual LANs alone — a common practice — “is not sufficient for security separation,” MacDonald says. MacDonald says virtualization is causing some “business-model disruption” in security and praised the efforts of some vendors, including Trend Micro, to leap in with new offerings to take on the virtualization challenge.

Trend Micro’s Core Protection for Virtual Machines, antimalware software that was designed for use with VMware, was released in the third quarter. According to Bill McGee, senior director of product marketing at Trend Micro, both products make some use of tools in VMsafe. VMware has been among the most aggressive of the virtualization software vendors to open up their technology to optimize security functions, he says, while so far the actions of Citrix and Microsoft seem “more limited” in this area.

For its part, VMware says it’s glad to see a number of vendors, including Altor Networks, Reflex, ISS IBM and Trend Micro, adopting the VMsafe technology.

According to Forrester Research, adding hypervisor technology (Citrix Xen, VMware vSphere and Microsoft Hyper-V) “does add some marginal risk to IT environments, because it layers additional software on top of existing operating systems.

According to Jacquith, one disappointment remains VMware’s Live Migration feature for configuring VMs so that they automatically migrate from one farm host to another, for purposes of fault tolerance and business continuity.

http://www.computerworld.com.au/article/330761/virtualization_security_remains_work_progress/?fp=16&fpid=1

Airport breaches on the rise nationwide

Posted on January 10, 2010December 30, 2021 by admini

Statistics from the 2009 fiscal year weren’t included because the GAO released its report just after that fiscal year ended.

“While some breaches may represent dry runs by terrorists or others to test security or criminal incidents involving airport workers, most are accidental,” the report said.

Joe Terrell, TSA’s federal security director at Pittsburgh International Airport, said through a spokeswoman no breaches occurred at the Findlay airport since he assumed his post in August 2005.

In that incident, a woman squeezed through a 1-foot gap between a checkpoint metal detector and an X-ray machine and continued to the airside terminal, where she boarded a flight to Houston. She got by because the nearest TSA screener — overseeing two checkpoint lines — was dealing with another woman who tried the same stunt.

In its report, the GAO said airports have several secure areas with varying levels of security. They include baggage loading areas, exterior areas near terminals and what the TSA calls air operations areas, including the airfield; areas near parked aircraft; and air cargo and aircraft maintenance facilities, the report said.

Pittsburgh International Airport is situated on more than 9,000 largely wooded acres, making it one of the largest airports in the country by area — and an attractive hunting ground for overzealous hunters. Hunters who go over or under the perimeter fence surrounding the airport’s 9,000 acres would have to go beyond a second fence around the air operating area to breach security, he said.

Davis also attributed the jump in breaches nationally to heightened awareness or enforcement triggered by high-profile breaches elsewhere; management changes; and increased, random government inspections of airport security.

http://www.pittsburghlive.com/x/pittsburghtrib/news/cityregion/s_661513.html