admini – Page 217 – CyberSecurity Institute

IT execs feel the heat as security woes multiply

Posted on August 28, 2006December 30, 2021 by admini

Security accountability is long overdue, says John Pescatore. When a series of worms hit in 2001 and paralyzed businesses, IT staff threw up their hands and blamed vendors. “Five years ago, nobody was responsible and nobody had authority,” Pescatore says. “The business side of the organization has learned to live with accountability and is able to talk about revenues and returns,” Pescatore says. IT managers and security managers aren’t the ones setting corporate policies, yet they’re responsible for enforcing the policies and ensuring security, he says. All in a day’s work IT executives say their jobs are now on the line if an IT event compromises security or impedes business performance.

Greater accountability is a natural consequence of IT becoming more central to business operations, says Chris Majauckas, computer technology manager for Metrocorp Publications in Boston. “Upper management is aware that it is impossible to foresee every possible negative event, but they do expect those events to be handled promptly and properly,” he says. “The days of upper executives that aren’t IT-aware are gone,” adds Bruce Meyer, senior network engineer at ProMedica Health System in Toledo, Ohio. The negative publicity surrounding the recent breaches has forced all IT departments “to examine how the events happened and discuss with the executive level what our exposure to the same incident would be,” says Cory Elliott, IT director at Basic Energy Services in Midland, Texas.

The Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) were designed to protect patient privacy and improve financial reporting, respectively. The burden of providing that falls to IT – which can become a scapegoat if efforts come up short. “Oversights, either deliberate or inadvertent, now become part of reports to audit committees and boards, who have obligations to show due diligence in responding to compromised situations,” he says. “This may produce more pressure and require dismissals that would not necessarily occur in private companies.” Dismissing or shuffling IT staff is often a signal to the public that punitive and preventive measures have been taken, Donnelly says.

The company’s IT department is spending more time and money on security investments such as intrusion-prevention systems, firewall, security appliances and antivirus software. “If you have a regulatory stick, use it,” Pescatore says. While greater IT accountability is a good thing, it has to come with authority, Pescatore says.

Ground your assertions in reason: “It has to be about more than just fear.”

http://www.networkworld.com/news/2006/082806-security-risk.html?WT.svl=bestoftheweb1

Website is going to evolve

Posted on August 25, 2006December 30, 2021 by admini

Well the time has come for this web site to evolve to the next level. Extra value is you join. If it will give access to the commenting system and also a newsletter quickly summarizes the news just for you.

Review: ‘Hacker-in-a-Box’ Tool Tests Attack Scenarios

Posted on August 25, 2006December 30, 2021 by admini

Today, most hacking is financially driven and well-organized, with attacks launched to steal information from banks, financial services firms and online retailers. With banks, for instance, hackers working with inside employees or identifying weak application exploits have been known to set up temporary offshore accounts to siphon tiny amounts from many of accounts. Stealing customer information is the most common attack, since it can be done with simple SQL-injection scripts to retrieve complete database tables.

With the arrival of Web 2.0 and Ajax, new vulnerabilities are popping up at the client level. To identify holes, developers must revalidate Ajax code at the server level before finalizing transactions. Essentially, Ajax creates the same types of vulnerabilities as server-based Web applications, but they’re more magnified because more code is exposed at the client side, with less validation done at the server side.

Cenzic promotes a “divide and conquer” methodology, in which security administrators make critical decisions on how to test applications during development and QA testing. The only security strategy promoted by ASPs and ISPs deals with providing firewall and SSL support to applications, leaving application logic completely out of their security infrastructure.

In addition to Hailstorm, Cenzic offers two ASP models to simplify remote testing and QA for customers that don’t have the resources in-house.

http://www.darkreading.com/document.asp?doc_id=102274&WT.svl=cmpnews2_1

Enterprises Still Not Sweet on Honeypots

Posted on August 23, 2006December 30, 2021 by admini

“It’s a great alarm system — there are no false positives with honeypots.

Honeypots have long been used in research networks, federal government agencies (especially the Department of Defense), and law enforcement for tracking potential attacks, attackers, or perpetrators. One such application would be for detecting an internal user’s suspicious activity on the network, or if an outsider was poking around the network from the inside, says Logan. “Most times attackers will use an [enterprise’s] server or end-user PC to further explore the enterprise, so you could have an employee unwittingly being used.”

But once you put up that sexy honeypot and attackers start buzzing around, you’ve exposed yourself, critics say. Thomas Ptacek, a researcher with Matasano Security, says honeypots not only invite trouble, but they also generate operational overhead that most organizations don’t have the manpower to handle. Arbor Networks has a “dark IP” monitoring feature that uses unused IP addresses within an organization for the honeypot machines, so it’s obvious when an attacker is knocking. It used to run honeypots on its DMZs, says Mark Butler, manager of security and compliance services for H&R Block. The devices detect an attacker’s reconnaissance behavior and respond with “fake” information using ForeScout’s proprietary honeynet technology. “It gives me trends, such as what type of behavior is going on,” and if connections are coming from Russia, for example, and at what frequency, says Butler, who acknowledges it doesn’t catch everything.

“Once you turn on a honeypot in your network, you’ve created something to keep you up at night,” says Jeff Nathan, software and security engineer for Arbor Networks.

http://www.darkreading.com/document.asp?doc_id=102139&WT.svl=news1_2

IBM Up-Ends Security Services Market

Posted on August 23, 2006December 30, 2021 by admini

“We see a $22 billion market opportunity in managed security services, and we intend to offer a single solution for companies that have not felt comfortable outsourcing until now,” says Val Rahmani, general manager for IBM’s Infrastructure Management Services unit.

“IBM has been showing a tendency to move back, in many ways, to the old mainframe days, where it owned an account top to bottom,” says Rob Enderle, president of the Enderle Group, an IT consultancy.

“I think this acquisition is definitely part of an overall trend, where the more mature parts of the security industry — things like firewalls — are aggregated into fewer, larger companies,” says Robert Richardson, editorial director at the Computer Security Institute.

Big Blue has been carefully vendor-neutral in its approach to managed services in the past, but it seems unlikely that the company will be able to maintain that stance as it integrates the ISS technology into its offerings. The acquisition comes less than two months after IBM storage rival EMC picked up RSA Security for $2.1 billion. “RSA had been shopping itself for some time, and I assume they probably spoke with IBM. But a deal that size [EMC-RSA] probably woke up a lot of larger vendors that this is going to be a major issue going forward, and it’s better having the IP and services in house than relying on partners. “The only thing that is similar is when EMC wanted to jump into the security space they went for a household brand.

http://www.darkreading.com/document.asp?doc_id=102103&WT.svl=news1_3

Standard Could Unify Security Apps

Posted on August 22, 2006December 30, 2021 by admini

Security managers have been frustrated by the proliferation of “point products” in their environments, which generate a ton of data but offer no method to filter or correlate it to find the root cause of a violation.
Security information management (SIM) tools offer a possible solution, but each has its own proprietary means of collecting and presenting security data.

“What the CEF offers is a standard way to normalize the data from the different devices and tools so that it can be analyzed,” says Steve Sommer, senior vice president of marketing and business development at ArcSight.

If it’s adopted across the industry, the CEF could play a role similar to SNMP, the IETF standard that unified network and systems management tools a decade ago. So far, however, the vendors that have announced support for CEF are those that were already ArcSight partners: AirTight Networks, CipherOptics, DeepNines, Intrusic, Reconnex, Vericept, and Vontu. Sommers says ArcSight is negotiating with “a multi-billion dollar competitor” in the SIM market, which is considering adopting the standard. He would not disclose the name of the vendor, but three of the multibillion vendors that make SIM tools are Cisco, Computer Associates, and Symantec. Even when a forum is selected, it will probably take six to 12 months to get on the agenda of the standards bodies, Sommers observes.

http://www.darkreading.com/document.asp?doc_id=102024&WT.svl=news2_4