Author: admini

Avoid Wasting Money on Penetration Testing

Posted on by admini

Is it reasonable to assume that an expert at testing Solaris, AIX, and other Unix flavours is also going to be equally as good on Windows? The truth is that most consultants have favourite platforms which they know at a deep level, and are either just competent or even incompetent with other platforms. Just as you wouldn’t use a tractor on a racetrack, or a Ferrari in a field, you wouldn’t put a Unix expert on a windows test, or an Oracle expert on a MSSQL assignment.

Consultants hate report writing The secret is out – consultants hate writing reports. You don’t ‘see’ the assessment – you see the report! The report IS the deliverable Remember, it is the Executive Summary that you will show to your manager, the remediation ad-vice that you will give to your team, and the classified vulnerabilities that your auditor will review.

The Methodology No doubt you’ve read, or at least skimmed through the “Methodology” paper on your suppliers web site, or their glossy brochure. It is designed to demonstrate a deep understanding of the assessment process. A consultant can do an excellent job without following the company methodology, but by not having a structure to work with, there is a good chance the results will be inconsistent at best, and dangerously incomplete at worst. It’s easy to wheel in a star consultant to win the business, but follow through with a trainee.

Finally, remember that companies don’t perform penetration tests, people do. So no matter which company you go to, it always boils down to the person you have working on your account.

http://www.it-observer.com/articles/1308/avoid_wasting_money_penetration_testing/

Read more

Security Outsourcing Heats Up

Posted on by admini

“While there’s still some skepticism out there — security was also cited as one of the top three factors keeping companies from engaging a managed service provider — there are some providers that have reached a kind of ‘trusted advisor’ status, and they are being engaged more and more frequently to deliver security services,” says Richard Rysiewicz, vice president of services at CompTIA.

RSA president Art Coviello announced a few weeks ago that his division will be working with parent company EMC’s professional services division for risk assessment for enterprises. And BT, which acquired MSSP Counterpane last year, is quietly making a major push into large, global enterprises, according to security guru Bruce Schneier, CTO of BT Counterpane.

“It’s not a choice between doing it in-house and doing it out-of-house.”

The trust issue is a plus for Internet Security Systems, the formerly-independent security vendor that now has become IBM’s arm for delivering managed security services.

Tom Noonan, a founder of ISS who now heads up IBM’s security efforts, says that rather than serving as an add-on, security is now driving many outsourcing projects. He says the researchers “were surprised” when security showed up in the top three reasons for selecting a supplier, just behind quality of service and price.

http://www.darkreading.com/document.asp?doc_id=117795&WT.svl=news1_4

Read more

CheckFree to Purchase Corillian in Bid to Expand Offerings to Banks

Posted on by admini

“Online banking is becoming increasingly integral to banks’ relationships with their customers, and the Internet is increasingly the point of interaction where services are delivered,” says Olsen.

Maggie Scarborough, a research manager with Financial Insight’s (Framingham, Mass.) corporate banking practice, “channel optimization” are the buzzwords of this acquisition. “CheckFree bought the channel for the delivery of its payments to consumers and small businesses; including consumer and business bill presentment and payment. The idea is that plugging directly into the channels gives CheckFree the opportunity to sell more services to Corillian’s expanding customer base, including fraud services, bill payment, and business bill payment and invoice presentment.”

This move is also to Corillian’s advantage as well as the company can further expand its potential for sales of online banking, small business banking, cash management, warehousing and fraud sales to CheckFree’s financial institution clients. The deal sounds reminiscent of another such announcement made earlier this year when financial management products provider Intuit announced its plans to buy online banking company Digital Insight. Art Gillis, IT consultant to banks and technology vendors, is not so sure about the extent to which CheckFree’s and Corillian’s bank customers will be affected by the combination. Whatever the outcome of this marriage, the merger shows the increasing importance being placed on the small business segment by the financial services industry, according to Financial Insight’s Scarborough.

http://www.banktech.com/news/showArticle.jhtml;jsessionid=J415R1IAHUNLYQSNDLOSKH0CJUNN2JVN?articleID=197007442

Read more

Mobile phone hackers on the rise – study

Posted on by admini

The ITM study, sponsored by McAfee, examined in mobile operators’ past experiences, current attitudes and future plans with regards to mobile security.

In line with the growing importance of mobile security to service providers, 85 per cent plan to increase their mobile security budgets to tackle issues including network intrusion, mobile viruses, denial-of-service attacks, spam and mobile phishing (SMiShing).

http://archive.gulfnews.com/articles/07/02/17/10104899.html

Read more

Global Data Leakage Survey 2006

Posted on by admini

The goal was to analyze all leaks of confidential or personal data, cases of employee sabotage or negligence, and any other breach of internal IS which had received at least one mention in the mass media during 2006. The survey is truly global since the analysis includes all internal violations regardless of the geographical location of particular company or government structures affected by insider sabotage. Thus, all patterns and tendencies revealed in the survey can be equally applied to companies of all industries and countries. This survey is the first global project targeted at the study of breaches of internal IS. In 2004, the InfoWatch analytical center began keeping a database of breach occurrences. This database provided the initial information for the survey.

In addition to financial loss, a company’s reputation is ruined and hundreds of thousands of people face having their identities stolen.

On average, 785,000 people suffered from every leak of private information in 2006. Organizations which allow their employees to use mobile devices are in a high-risk group. The use of mobile devices led to information leaks in half of all breaches (50%); meanwhile, the Internet was used as a medium for leaks in only 12% of cases.

The main threat for a business is a lack of discipline among employees. Negligence led to the overwhelming majority of all leaks (77%) in 2006.

The sources of information leaks A survey of 145 breaches of internal IS shows that information leaks have a global character.

One cannot point to any area of business or any particular geographical region where companies have rarely or never suffered from the activities of insiders. Small business and giant corporations, commercial organizations and governmental establishments all experienced cases of information leakage in 2006.

Insiders managed to jeopardize the security of such strong and well-protected structures as military and special services. Again, such cases involved mobile devices and the Internet. Often, as a result, top secret information became freely available on the Internet, or ended up in the hands of journalists or foreign states.

It is clear that private companies suffer from twice as many data leaks, cases of sabotage and other breaches than government structures. It often happens that the controlling body is responsible for a breach of internal IS. Thus, we have the problem of lack of control over the controller.

Meanwhile, some cases of information theft from government structures become public. This happens when it is simply impossible to hide the incident, or when it becomes necessary to make public example of the offender. For instance, for many years the US government kept quiet about breaches of internal IS. But today, news about information leaks and gaps in security systems is commonplace. One of the latest cases reached the news when the US Tax Inspectorate announced in November 2006 that almost 500 laptops had been stolen over the preceding 4 years.

Commercial organizations, on the other hand, do not just experience a lot of data leaks, but also suffer from the huge losses they cause. The company’s reputation and brand image are significantly damaged by such leaks. This problem is as vital for government organizations. In a competitive market, customers can easily switch to a more reliable supplier, but one has no alternative but to engage with one’s own state and its governmental ministries. An example which immediately comes to mind in this regard is the information leak from the US Department of Veterans’ Affairs which occurred in May of that year. Whereas IS specialists may need time to identify such channels, insiders — in most cases — already know exactly what they need to do to steal data.

For instance, laptops with unencrypted data are quite often lost, despite the fact that company security policy requires all information on mobile computers be encrypted.

The biggest information leaks of the year. The five most notorious information leaks of 2006 (see table 1) make 2006 the year with the largest volume of information leaks in history. Burglars got into the house of an employee of the Nationwide Building Society and stole a laptop with the company’s clients’ personal information in unencrypted form.

http://www.viruslist.com/en/analysis?pubid=204791919

Read more