Author: admini

Companies are Thinking of Information Security as a Strategic Asset

Posted on by admini

I think this trend can also be examined from the angle of compliance with PCI standards— payment card industry data security standards (PCI DSS). Visa certainly didn’t like this behavior and was at the forefront of levying fines against offending merchants for not passing their PCI audits. The council is adopting more stringent standards and requirements around keeping card data safe for all those involved in the payments chain—banks included.

It’s encouraging to see that information security is taking on greater importance at organizations, even beyond compliance requirements.

Getting back to the E&Y study, the firm found that companies are better integrating their information security and risk management initiatives (82 percent of respondents). More than two-thirds (69 percent) of respondents felt that information security improves IT and operational efficiencies.

This finding sharply contrasts to previous years, according to the firm, when information security was viewed as a barrier to IT and operational efficiency.

Nearly a third of respondents said they never meet with their board or audit committee.

Although E&Y didn’t specify the kinds of companies involved in the study, it’s not too difficult to draw parallels to the financial services industry.

http://www.banktech.com/blog/archives/2007/12/companies_are_t.html;jsessionid=CESVIN0SMPC0UQSNDLPSKH0CJUNN2JVN

Read more

Mashups, SAAS Present Security Risks

Posted on by admini

Web services are typically XML-based, and HTML is the language needed to design Web pages, upon which mashups reside. “You have to explicitly design that in,” he said. “And by explicit, that means you have to design authentication and authorization into the way that the service responds to consumers. Mashups, by their nature as a composition of services, don’t introduce new security issues, Schmelzer said.

“The security issue in composition is the problem of security context in which you have to deal with the fact that composing different systems might mean trying to span different identity domains, which is a significant problem for companies that have not made a prior investment in identity management systems,” he said. That said, the security issue is not a fatal flaw for SAAS, mashups and SOA, Schmelzer said.

Douglas Crockford, a senior JavaScript architect at Yahoo who is know for discovering the JavaScript Object Notation, said there’s been nothing really new done to HTML since 1999, which has led to security problems and security risks down the line for technologies such as mashups. “We’ve been so distracted by XML that HTML has not gotten the attention it needs,” said Crockford, who was on the panel at the show..

Michael Day, founder of YesLogic and the architect of the Prince formatter, said XML does have a future on the Web, if only as a server technology. XML seems to have gone the way of other technologies, such as Java, that started out as client-side technologies and ended up in the server realm, Day said.

http://www.eweek.com/article2/0,1759,2227704,00.asp?kc=EWRSS03119TX1K0000594

Read more

Study Reveals Overlooked Sources of Leaks

Posted on by admini

Lost laptops, emails sent to the wrong address, sensitive documents left on photocopiers, employees walking out of the building with confidential papers or storage media — these are not new sources of leaks, but they remain the most common, the study finds. “Most of these are accidental, not malicious,” Seth says.

Some employees repeat sensitive information on social networking sites such as MySpace or Facebook, while others may be overheard in a restaurant or on an airplane. An employee might be shoulder-surfed at a coffee shop or on a train, or lose an unencrypted storage device in a public place, the study observes.

The study also found some methods of leakage that may not be anticipated, such as “print screen” capabilities or photographing of screens on mobile devices. “I know it’s a tired phrase, but we’re talking about human behavior here, and the only way to correct the problem is to correct the behavior.”

http://www.darkreading.com/document.asp?doc_id=140412&f_src=darkreading_section_296

Read more

Amount of malware grew by 100% during 2007

Posted on by admini

Other increasing data security phenomena during 2007 included parasitic behavior, like the Zlob DNSChanger, and increasing security exploit activity for Apple products, including both Mac’s, iTunes and the iPhone.

The increased popularity of social networking services carries similar risks.

On the mobile security front Symbian S60 as the most popular smartphone platform has done a good job of curbing malware with its 3rd edition software.

http://www.net-security.org/malware_news.php?id=886

Read more

Cybercrime agency faces cuts as computer raid threats grow

Posted on by admini

In particular, Finjan investigated an attack that used zero-day exploits – malicious software for which there are no security patches – that was designed to steal confidential information.

On Saturday, The Times disclosed that the Director-General of MI5 had written to businessmen with a warning that they were being attacked by Chinese cyberspies. Ian Brown, of Oxford University, a cyber-espionage expert, said that British businesses were more vulnerable than they need to be because of the merger and planned job cuts. Critics say that leaves cybercrime and web-based industrial espionage too far down the agenda.

http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article2994807.ece

Read more

Security Breach Costs Jump 30%

Posted on by admini

Notification costs were down 40 percent, to $15 per customer, suggesting that companies are learning from each other, Dasher says.

Dasher says when PGP sells its software, which encrypts data, more people inside a company are now involved in purchasing it.

This is Ponemon’s third survey of data breach costs since 2005.

http://www.baselinemag.com/article2/0,1540,2223732,00.asp

Read more