Security News Curated from across the world
Providers, said Arbor, regularly report attacks beyond the capacity of core backbone sections of the Internet in the 10-20Gbps range.
The bulk of these DoS attacks originate with botnets, collections of compromised computers that criminals have acquired by infecting them with Trojan horses through other means, such as e-mail, spyware, or malicious Web sites.
http://www.informationweek.com/story/showArticle.jhtml?articleID=192701817
On this topic IBM aims continuous data backup software at SMBs One in five firms has no disaster recovery plan MessageLabs launches e-mail archival service Protecting Remote Office Data: D2D Backup/Recovery Solutions Protecting Microsoft Exchange: The Need for Disaster Prevention and Optimization Best Practices for Disaster Recovery Across the WAN Costs and Consequences: Securing sensitive data at the edge of the network and beyond Data Protection – A Top Priority: Reduce the Risk of Costly Data Breaches A Guide to Reducing the Risks of Costly Data Breaches security.itworld.com.
Ultimately IT is there to serve business, and disaster recovery planning should be no different. Well, most IT shops still don’t get it, according to EMC Canada consultant Iain Anderson. People are still making technology decisions, and not business decisions.
According to Paul Saxton, lead consultant in business resiliency at IMB Canada Ltd., recovery capabilities have to be matched to the business requirements. “Understand that disaster recovery and business continuity are part of overall risk management,” he says.
“One of the challenges I see all the time is that business continuity and disaster recovery fall back to the responsibility of IT, and IT’s normal response is to throw technology at it,” says Anderson, client director at EMC Corp. of Canada. Anderson says IT has a responsibility to understand how business workflow ties in to business applications, and how those applications in turn are supported by infrastructure. “We tend not to spend enough time communicating out there with the business units and understanding what their business problems are,” he says.
As a type of insurance policy, it’s helpful to know what threats and vulnerabilities you’re likely to come up against. Unless you’re in a tornado area, on a fault line or flood plane, you probably won’t be building a mirror site of your entire IT infrastructure. But going through that vulnerability and risk assessment can be a heated debate, says George Kerns, president and CEO of Fusepoint Managed Services Inc.
The budget for a recovery plan is large compared to the operating budget, and if the chance of a disaster occurring isn’t high, how do you avoid spending too much? “I think this has to come down to a rational conversation between the CIO and the CEO,” says Kerns. He says most business units believe their IT systems can be back up within hours, while IT will estimate a couple of days and an actual assessment of the technology will reveal a further gap.
“This is a big area where more testing needs to be done, with a more rigorous, more integrated approach and a stronger level of governance around it,” he says. And don’t test to pass; you have to test to fail, says Anderson.
PCI, which includes specifications for both physical and logical security of credit card data, is required for all merchants who accept credit cards or store credit information. Merchants that don’t comply could face fines as high as $500,000, or, in extreme cases, could have their ability to accept credit cards revoked.
PCI 1.0 was issued two years ago, and merchants were supposed to have achieved compliance by the deadline of June 30 of this year.
Experts say the new guidelines are more clear about “compensating controls,” which give merchants a bit more flexibility in their deployment of encryption and other PCI requirements. David Taylor, vice president of data security strategies at Protegrity and a former industry analyst, isn’t so sure. “The new specs are definitely clearer, and that’s great, but I think a lot of merchants were hoping that the new rules would make it easier to comply, and that didn’t happen,” he says.
PCI auditors previously had hoped that PCI 1.1 would somehow divide the specifications between critical requirements — such as the need for encryption and firewalls — and best practices, such as thorough documentation and training.
http://www.darkreading.com/document.asp?doc_id=103292&WT.svl=news2_1
“We’ve seen criminals hack into hospital systems just to get the Social Security numbers of the newborns. There’s no one, obvious group of organizations that hackers are targeting.”
There are still plenty of independent hackers out on the Web — just look at the recent Black Hat and Defcon conferences — who might sell vulnerabilities or stolen data by putting them up for auction.
Worms and viruses invented by independent hackers still make up a huge portion of the damage done to corporations each year, Pierson notes.
But the visibility of these individuals and their exploits sometimes belies the growing, but largely unpublicized threat from organized criminals who buy data from hackers or insiders and sometimes contract with them to collect data from a specific corporation, experts agree.
Pierson gives the example of stolen customer credit card data, which is sometimes handled by multiple individuals in a joint effort. While credit card information might be collected through the collaboration of phishers and spammers, that data might then be passed to “cashers” who forge credit cards that use the numbers. Then those cards will be passed out to a network of “mules” who use the cards for small purchases — the kind that might not be immediately detected by the victim — and thrown away. Then the syndicate of players might sell the account information to another buyer, just as the parts of a stolen car might be resold. A similar sort of “syndicate” might be formed to fence stolen business secrets or customer lists to competitors, or to other nations or terrorist groups, he says.
External hackers may be paid off; insiders may be disciplined or dismissed; and in some cases, the crime is never detected. Although there are cases in which external hackers break into an enterprise they find attractive, most targeted attacks involve some help from an insider, experts say.
http://www.darkreading.com/document.asp?doc_id=103198&WT.svl=news2_1
Doug Merritt, executive vice president and general manager of suite optimization products and technology at SAP, said that consultants in the compliance arena, regulatory bodies and other vendors will also be able to contribute to this repository. “It allows companies to manage hugely heterogeneous landscapes,” noted Merritt. Merritt said the solution will help risk managers and business owners identify financial, legal and operational risks, analyze business opportunities in light of these risks, and develop appropriate responses.
The key to all three solutions, the company said, is that they give line-of-business executives greater visibility of how governance and risk-management policies are implemented and followed in the course of doing business. Effective GRC management can do more than ensure that companies are in compliance with Sarbanes-Oxley and other regulations, said Merritt. “GRC is more business-driven than just keeping the CEO out of jail,” said Merritt in response to a question from internetnews.com during a conference call this week. “Understanding the relative risks and rewards of different activities is as critical or more critical than regulatory reporting,” he said.
Amit Chatterjee, senior vice president of the risk and compliance management unit at SAP, said that whatever can be monitored can be managed.
SAP GRC Repository and SAP GRC Process Control will be generally available Nov. 30. Other solutions, particularly those pertinent to industry verticals, will become part of the new solution during the second quarter of next year.
SAP also announced that it is bringing these products to market jointly with networking solutions vendor Cisco Systems (Quote, Chart).
http://www.internetnews.com/ent-news/article.php/3630606
Auditing woes mostly stem from improperly securing user machines and servers, according to the council’s findings. “The problems being flagged in audits are in user and access controls on PCs and laptops, audit reporting and problems in configuration change management,” Hurley says.
Those with poor audits are spending 43 percent of their IT budget on security equipment and software for IT compliance and those with successful audits, 52 percent. “They are taking money out of labor and putting it into automating the processes” such as measurement and monitoring IT compliance across the board, Hurley says.
“The organizations [surveyed] doing continuous monitoring had the least number of audit deficiencies.”
Meanwhile, security firms that perform vulnerability assessments and penetration testing say regulatory compliance is driving much of their business today. Steve Stasiukonis, vice president and founder of Secure Network Technologies, says regulatory compliance pressures from SOX and HIPAA, for instance, are one of the main reasons his clients hire him.
http://www.darkreading.com/document.asp?doc_id=103041&WT.svl=news2_5