admini – Page 119 – CyberSecurity Institute

Want Better Security? Reward Your Provider

Posted on May 26, 2010December 30, 2021 by admini

Without a reward, “You are not providing any incentive for the managed security service provider to detect breaches,” says Asunur Cezar, the paper’s lead author and an instructor at the Middle East Technical University in Ankara, Turkey. “It may be penalized after some investigation, but that does not necessarily act as an incentive.”

The research also found that, when penalties are limited in some way, the second variant — using one MSSP for monitoring and another for detection — provides better security. The researchers pointed to court cases that limit penalties against service providers, concluding that such real-world limits mean having one provider essentially audit the other leads to the best performance.

The results of the study could be interesting academically, but they might not translate well to real-world MSSP contracts, says John Pescatore, vice president of analyst firm Gartner. In the real world, service firms are providing a specific function, not blanket protection, so it is usually difficult to penalize the companies for a breach. “The contract is to manage your firewalls or manage your firewalls, intrusion detection system, and antiviral — they are not saying, ‘Sign up with us, and we will protect you against all breaches,'” Pescatore says.

http://www.darkreading.com/securityservices/security/management/showArticle.jhtml?articleID=225200295&cid=RSSfeed

Default Database Passwords Still In Use

Posted on May 25, 2010December 30, 2021 by admini

The rampant use of default passwords within live database environments continues to plague the security of enterprise data, researchers say. “It’s a problem that has been around for a long, long time,” says Alex Rothacker, manager of Team SHATTER, Application Security Inc.’s research arm. “A lot of default passwords out there get installed when you deploy a database, you install an add-on to it, or even if you install a third-party application that uses the database.” As he puts it, the problem of default passwords lingering in the wild has built up during the years as a result of cumulative errors by both vendors and database administrators.

In the past, the majority of vendors had no compunction about pushing out installers that automatically created default accounts to expedite the deployment of new databases, add-ons, or applications on top of the database.

Rothacker says the situation on the vendor front has improved considerably in recent years, but default passwords continue to be a problem for a number of reasons.

Organizations that choose to skip such a review could be leaving themselves at serious risk, says Rich Mogull of Securosis.

Team SHATTER last week launched a series of week-long database vulnerability-a-day awareness campaigns to draw attention to a wide range of database deployment deficiencies in the enterprise.

http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225200102&cid=RSSfeed

German watchdog tells firms to do own US privacy checks

Posted on May 25, 2010December 30, 2021 by admini

Multinational companies can use binding corporate rules to send data to parts of the company in different countries, and companies can also use model contract clauses produced by the European Commission to bind companies outside of the EU to its high data protection standards.

The Düsseldorfer Kreis has said, though, that there are worries about how thorough US companies are being when they claim they have complied with the Safe Harbor deal, and has told German companies that they must make their own checks on US firms. “Any certification older than seven years old is not valid.” The group also said that companies must check how US companies tell the subjects of the data being transferred that it is processing their data and ensure that privacy regulators can check that this has been done.

A large number of organisations failed to comply with Principle 7 — Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers. Many of these false claims have continued for several years,” said the study, which examined compliance with just one of the scheme’s seven Safe Harbor Framework Principles. The study was not the first to find problems in the implementation of the Safe Harbor programme.

“Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers,” it said.

Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies should be making basic checks on any firm they hire to process data for them even if they are part of the Safe Harbor programme.

http://www.theregister.co.uk/2010/05/25/eu_us_privacy/

IBM to acquire Cast Iron Systems for cloud boost

Posted on May 25, 2010December 30, 2021 by admini

“The integration challenges Cast Iron Systems is tackling are crucial to clients who are looking to adopt alternative delivery models to manage their businesses,” said Craig Hayman, general manager at IBM WebSphere, in a statement.

“The combination of IBM and Cast Iron Systems will make it easy for clients to integrate business applications, no matter where those applications reside.

http://www.sdtimes.com/IBM_TO_ACQUIRE_CAST_IRON_SYSTEMS_FOR_CLOUD_BOOST/By_David_Rubinstein/About_CASTIRON_and_CLOUDCOMPUTING_and_IBM/34371

McAfee, Symantec add mobile security to lineup

Posted on May 25, 2010December 30, 2021 by admini

Trust Digital, based in McLean, Va., is used by companies to secure data that travels through mobile networks, using such devices as Apple’s iPhone and iPad. McAfee said the acquisition will extend its business into the mobile market, especially as employees increasingly use smart phones for work.The deal is expected to close by June 30.

With the VeriSign deal, announced May 19, Symantec will have spent nearly $3 billion in two years acquiring technologies that make it a bigger player in other parts of the security market, such as protecting data on mobile phones and delivering software over the Internet. Meanwhile, VeriSign, whose brand is ubiquitous on the Web for protecting online transactions, wants to secure fewer things. Some were curious choices for VeriSign to have in the first place, such as a division that did billing services for telecommunications companies and another that sold ring tones and insurance for mobile phones. The VeriSign division that Symantec is buying sells “certificates” to websites that want protection for their customers’ data. The competition has forced VeriSign to sell more of its cheaper SSL certificates, too, even though their security measures are weaker.

http://www.msnbc.msn.com/id/37343927/ns/technology_and_science-security/

Sourcefire Expands Real-Time Application Awareness, Extending Leadership of Intelligent Cybersecurit

Posted on May 24, 2010December 30, 2021 by admini

“Single-purpose technologies, like firewalls and traditional IPS devices, don’t provide a combined view into the context or depth of users, applications, devices and data on the network… For truly effective protection and policy management, organizations need real-time visibility of everything on the network,” said John Burris, Chief Executive Officer of Sourcefire.

http://www.pr-inside.com/sourcefire-expands-real-time-application-awareness-r1909416.htm