Security News Curated from across the world
“Today’s businesses cannot grow in the absence of a healthy environment for the realization of new innovations,” said IDC Vice President Chris Christiansen in a prepared statement.
ยท And, creating a repeatable process for making risk/reward calculations for new initiatives.
http://www.securityinfowatch.com/online/IT-Asset-and-Technology-Centers/IT-security-fears-snarl-business-innovation/17857SIW364
The Verizon report is a collective analysis of some 530 forensic investigations of data breaches that the company has done in large enterprises. It breaks down the causes of the breaches by industry and draws conclusions about the most common types of attacks committed in each.
In financial services, for example, Verizon investigated many sophisticated attacks involving cooperation of insiders and organized outsiders, as well as social engineering. In the food and beverage industry, on the other hand, the attacks were much less sophisticated, and the likelihood of internal attacks was only about 4 percent, while the likelihood of external and partner attacks was 70 percent to 80 percent. “In food and beverage, though, we saw a lot more repeatable, data-compromise-in-a-box sort of attacks — sort of the way…” Verizon found similar differences in the sophistication and approaches used to attack data in other industries, including retail and high technology.
Retail, for example, reported the highest number of breach incidents, but a relatively low level of attack sophistication.
What these results might mean, Sartin says, is that employing a generic risk calculation, such as the likelihood of insider threats, may be a mistake unless industry-specific factors are accounted for.
http://www.darkreading.com/document.asp?doc_id=165107&WT.svl=news2_3
Air passengers scanned by the new technology walk into a large booth where electromagnetic waves are beamed on to their body to create a virtual three-dimensional “naked” image from reflected energy.
Gareth Crossman, Director of Policy at Liberty, said: “I don’t think people are aware of what these scanners can do and how demeaning it is to have your body on display.
Security officials in the United States have pioneered use of the scanners at New York and Los Angeles airports because the technology reveals the contours of the body, picking up hidden items, such as guns or knives, more effectively than standard physical “pat-down” checks. Paolo Costa, Chairman of the European Parliament’s Transport Committee, is concerned over the safety of the new technology and how “nude” images of passengers will be viewed, then stored, by security officials.
http://www.telegraph.co.uk/news/worldnews/europe/3110533/EU-to-introduce-virtual-strip-searches-at-airports-by-2010.html
“As you globalize and move into new regions that you haven’t worked in before, you really need to understand the cultural differences” in order to implement an effective data protection strategy, said Marie Hattar, Cisco’s vice president of network and security solutions.
For example, about 64% of the IT decision-makers surveyed in China and nearly half of the ones in Brazil said they thought that employees at their companies allowed outsiders to use corporate laptops and mobile devices without any supervision.
Meanwhile, 39% of the end users polled in Brazil and 20% in India admitted to sharing sensitive information about their jobs with family members and friends; another 8% and 7%, respectively, said they had shared such data with absolute strangers. In a majority of the cases, the survey respondents said they discussed sensitive information with others because they wanted to bounce an idea off of someone or just vent.
Compared with workers in other countries, a significantly larger proportion of end users in China (42%), Brazil (26%) and India (20%) altered the security settings on their company-issued laptops.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116018&source=NLT_AM&nlid=1
With the Computer Security Institute reporting that 46 percent of computer security professionals have had security incidents in the past year, 26 percent of which have had more than 10, you begin to see the magnitude of the problem.
Sixty-five percent of this cost is the direct result of lost business, including customer termination—a rate that is increasing by 30 percent a year.
All this amounts to an unpleasant picture, one where current practices in breach response are falling short in keeping your customers, and therefore revenue, within your company.
Legal obligation vs. Customer satisfaction Recent research by the Ponemon Institute, the Consumers’ Report Card on Data Breach Notification, has provided some of the most useful information to date to help organizations determine the most effective techniques to minimize the impact of a breach and to retain customers. Large delays in notification signal to your customers that you are hiding something and/or they are not important to you, despite some realities that it takes time to assess the impact of a breach. Although it may not be possible to notify customers within a week, or even several weeks following a breach, your goal should be to notify them as soon as possible, with what reasonable information you can divulge at that time.
Do they have to close their credit card accounts? Many respondents in the Ponemon study found communications to be unbelievable or misleading, failing to reduce their fears about potential harms they faced because of a breach. Although you are the barer of bad news, you also have the opportunity to be the barer of solutions. Lay out for your customers the “next steps” they can or need to take after they are notified. Include information, phone numbers and Web sites on freezing credit files, getting free credit reports and other tips customers might want to know and follow.
At little or no cost to your organization, acting as an educator will not only help your customers recover from the incident, but maintain your organization as a trusted source.
Offering identity protection services has proven to have a positive effect on customer retention, and in many cases, offering such services is more affordable than new customer acquisition strategies. Individuals who receive free or subsidized services, such as credit monitoring, identity theft insurance or identity recovery services, feel less concerned and worried about the breach after it happens.
http://www.csoonline.com/article/451785/How_to_Minimize_the_Impact_of_a_Data_Breach?source=nlt_csoupdate
This is a pervasive problem that requires a holistic approach, starting with a ‘best practices’ DNS architecture and including processes and systems to quickly patch production DNS systems when new vulnerabilities and exploits are released… We are committed to providing solutions that not only address today’s threats but that also provide a lasting ability to provide protection as new attacks emerge.”
The Infoblox appliance-based solution provides protection against the DNS exploit and also provides features that will be essential for detecting and thwarting future attacks. Infoblox’s newest NIOS release, version 4.3r2, includes security features that monitor DNS protocol traffic, provide reports and proactive alerts when an attack is in progress, and a means to automatically mitigate attacks. Infoblox grid technology patch and upgrade appliances with a single command, in a production network, without incurring DNS service downtime.
Infoblox’s NIOS operating system enable administrators to obtain a detailed view of the devices actually connected to the network; reconciliation makes it easy to align the Infoblox IPAM database with the actual state of the network, providing a means to find lost assets and detect rogue devices. Further, it allows customers to have multiple instances of the same network address space in a single grid with a common management interface; multiple networks can be viewed and managed simultaneously, without opening and closing different configuration sets.
http://it.tmcnet.com/topics/it/articles/41236-infoblox-unveils-dns-firewall-address-dns-vulnerability-concerns.htm