admini – Page 198 – CyberSecurity Institute

Information Security Trends, Issues Continue to Evolve – FINSEC 2006 Conference, New York

Posted on December 9, 2006December 30, 2021 by admini

His descriptions of Key Indicators for the Financial Sector: What to Monitor and Log showed the approaches to logging and monitoring and noted that while regulatory rules mandate that banks regularly monitor event logging, it is growing more popular among institutional management as a way to protect not only the perimeter of the institution’s operations, but the data at rest too. Centralized monitoring offers institutions economies of scale through consolidated reporting, and correlation opportunities on an enterprise-wide effort.

Among other presenters was Karl Kasper, of JP Morgan Chase who spoke on “Security Architecture as a Foundation for Risk Analysis.”

Parker Foley of Wachovia spoke on Trends in Information Security Standards. Foley’s take on the drivers behind the trend toward higher-level models in policy structure and distributed models in management responsibility include the move to a business approach to security and the pressures of efficiency and cost reduction at larger banks.

Keynotes were presented by Thomas Dunbar, Global IT Chief Security Officer of XL Capital; Anish Bhimani, Managing Director of IT Risk Management for JP Morgan Chase Bank, and Ron Insana, Senior Analyst for CNBC. Dunbar’s keynote on Beyond the Expected: The Impact of Sarbanes-Oxley on Information Security Management, showed the direct link between a strong InfoSec department effectively dealing with Information Security as a business risk management issue and compliance with SOX.

Bhimani sees the evolution of information security into risk management as necessary to align with operational risk, regulatory compliance; and the partnership of information security with IT Audit in larger organizations will help make info security more visible.

http://www.bankinfosecurity.com/articles.php?art_id=172&PHPSESSID=1162cdc3d2eaefeb8ecf4017f0b2e046

Oracle Spurs Single Sign-On Surge

Posted on December 8, 2006December 30, 2021 by admini

The password reset problem is especially acute in environments like Oracle’s, where users may log onto half a dozen different apps, sometimes hosted on different servers and operating systems, on a given day.

The new Oracle suite is designed to help with that problem, according to Hasan Rizvi, vice president of security and identity management products at Oracle.

Oracle’s suite, which supports SAML, could be a stepping stone to more full-blown federated ID management environments that enable users to log onto many apps with the same password, analysts say.

http://www.darkreading.com/document.asp?doc_id=112382&WT.svl=news1_5

Ideas You Can Steal from Six Sigma

Posted on December 8, 2006December 30, 2021 by admini

With the blessing of top management, security looked at the entire supply chain and made some discoveries that were not apparent to individual managers.

Voice of the Customer (VOC) VOC is the process used to determine the needs of the customer, aimed at improving the customer experience and increasing loyalty. “Voice of the Customer forces you to leave the ivory tower and reach out and interface with your customers,” explains Greg Avesian, vice president of enterprise IT security at Textron. Following VOC’s directives to interface directly and frequently with the customer (Avesian meets formally with business unit CIOs every quarter, for example) ensures that security’s focus is on servicing the business units rather than guarding the bits and bytes, he says.

Failure Modes and Effects Analysis (FMEA) The FMEA procedure aims to identify every possible way in which a process or product might fail, rank on a scale of one to 10 those possible failures and probable causes, and prioritize solutions. “For security, the twist would be to say not just how could a given step fail, but how can we make it fail, how can we force it to fail?”

http://www.csoonline.com/read/120106/fea_six_sigma.html

The Truth about Patching

Posted on December 6, 2006December 30, 2021 by admini

They are simply different ways of performing the same job, either using a small software “agent” or polling from a central location to collect data on the target system. Here we focus on five, which fall into the categories of accuracy, scalability, bandwidth, speed and coverage.

Some IT professionals believe that being a resident on the client or server enables agent-based systems to collect more information, and ensures they won’t miss machines that are turned off. It’s what you do with that data that matters. And while it’s true that an agentless architecture cannot poll a machine that’s turned off, it’s also true that end users can — and do — disable software-based agents.

Additionally, if a user attaches a rogue machine to the network, it won’t have an agent and may not be found unless the company has another means of detecting such machines. Even an agent-based system still needs to evaluate data that the agent collects, which means that data must flow over the network at some point — so it does need a certain amount of bandwidth. But even though some older agentless systems did consume significant bandwidth because they had to read entire copies of files across the network to check versions, more advanced agentless systems have overcome this shortcoming and now consume only moderate amounts of bandwidth.

In an agent-based scenario, if all agents are reporting in at once, you should ask whether that server can keep up. And in practice, it’s not likely that the scanning tool will be the gating factor in how quickly you can get a patch out — it’s how quickly the third-party vendor makes the patch available.

http://www.it-observer.com/articles/1288/the_truth_about_patching/

Virtual concerns

Posted on December 1, 2006December 30, 2021 by admini

Multiple real servers can be consolidated into one larger, more powerful virtual server platform; just pack a single server with a lot of memory and a very fast CPU. But what’s coming on the virtual forefront is even more revolutionary. I know of one company that’s going to allow its employees to work from home using virtual images. The company will send the entire corporate image to the employee over a VPN connection, or at worst, on a single DVD.

Security experts and power users are using virtual machines to explore the riskier parts of the Internet without worry of host desktop modification. Banks and protection vendors are coming up with innovative solutions that involve sending virtual desktops to their online customers to prevent remote control bots from stealing PINs or fraudulently transferring bank balances.

First, because new virtual machines are so easy to create, administrators and operators aren’t treating them with the same security thoroughness as they do real metal and wire servers.

Second, if attackers break out of a VM into the host, they can immediately impact every other supported host on the server.

Third, anti-virus software and other scanners on the outside can’t easily scan inside virtual workstation images for worms, bots, and other threats.

Last, there are no comprehensive studies to prove how well a virtual machine protects against running malware.

Like instant messaging and USB thumb drives, the virtual revolution is coming whether you like it or not. Discuss the impact virtual machines will have on your environment, especially on security, with vendors and your technical staff.

http://www.infoworld.com/article/06/12/01/49OPsecadvise_1.html

New E-Discovery Rules Take Effect

Posted on December 1, 2006December 30, 2021 by admini

E-mail has been used as evidence in court cases for years; the amended rules also cover electronic documents, spreadsheets, image and sound files, and database info.

The amended rules explicitly state that requested information must be turned over within 120 days after a complaint has been served on a defendant. If this deadline isn’t met, it’s possible that electronic evidence could be ruled inadmissible. Or in the instance of a defendant sitting on potentially damaging evidence, courts can levy fines and other penalties.

The amended rules are to CIOs what Sarbanes-Oxley was to CFOs, says Riki Fujitani, a former attorney who’s now president of IT service provider Hoike.

The courts are showing their understanding that information is much easier to retrieve from modern storage technologies, while at the same time acknowledging that finding the right information on obsolete media could be just as difficult as digging up a paper document in a warehouse of filing cabinets.

In a survey by Enterprise Strategy Group, 91% of 568 e-mail, database, and compliance pros at companies with more than 20,000 employees said their organizations had been issued a discovery request for e-mail last year.

One thing that’s anything but ambiguous is the legal system’s disdain for companies that intentionally destroy electronically stored information. Morgan Stanley in May paid $15 million to settle Securities and Exchange Commission charges that it destroyed more than 200,000 e-mails and failed to cooperate with SEC investigators looking into Wall Street business practices.

Courts have over the past six years or so changed their views on the credibility of electronic documents, says Diego Maldonado, senior VP of the government technology group within consulting firm The Newberry Group.

Despite the amendments, there are still gray areas related to e-discovery.

http://www.informationweek.com/news/showArticle.jhtml;jsessionid=TEDZYBQNAAK00QSNDLPCKH0CJUNN2JVN?articleID=196600853