Author: admini

E&Y contacted 1,233 organizations representing 51 countries for its “Global Information Security Survey 2004,” a report meant to gauge enterprise perceptions of security. “Perhaps the remarkable thing is how little attitudes, practices, and actions have changed since 1993 — during a period when threats have increased significantly,” the report states.

The survey found that only 28 percent of global respondents noted “raising employee information security training or awareness” as a top 2004 initiative, despite the fact that a “lack of security awareness by users” was their top IT security obstacle.

Sixty-seven percent of the organizations surveyed view information security as being an important part of achieving their organizations’ overall business goals and objectives.

Employee misconduct involving information security was noted by 60 percent of respondents as being a high-level concern for organizations over the next 12 months. They were noted by 68 percent of respondents as being responsible for an unexpected or unscheduled outage of a critical business system.

In contrast to the incidents reported from those external threats, incidents originating from former or current employee misconduct were noted by only 24 percent of respondents.

In 2003, 21 percent said the spending would increase significantly while 40 percent said it would increase slightly.

Earlier this year, research firm IDC reported 59 percent of its survey base indicated that IT security spending would increase.

Company chiefs are aware of the threats of information security breaches posed by their employees, but are failing to safeguard their assets against insider attack. Keeping control of security will only get more difficult as organisations move toward increasingly decentralised business models through outsourcing and other external partnerships, Ernst & Young’s 2004 Information Security Survey warns.

“Companies can outsource their work, but they can’t outsource responsibility for its security,” Edwin Bennett, global director of Ernst & Young’s technology and security risk services, said.

“Fewer than one-third of those companies conduct a regular assessment of their IT providers to monitor compliance with information security policies – they are simply relying on trust.

Organisations have to demand higher levels of security from their business partners.”

The Ernst & Young survey found that organisations remain focused on external threats such as viruses, while internal threats are consistently under-emphasised. Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital. And that leads to “damage from insiders’ misconduct, omissions, oversights, or an organizational culture that violates existing standards”.

More than 70 per cent of the 1,233 organizations questioned by Ernst & Young failed to list training and raising employee awareness of information security issues as a top initiative.

That’s just not good enough, it says. “More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities – and convert them into its strongest layer of defence,” Ernst & Young’s Bennett concludes.

http://www.internetnews.com/stats/article.php/3412331
http://www.theregister.co.uk/2004/09/23/insider_risk/

The decision: No SP2 fixes — not even ones like the SP2 pop-up blocker or the ActiveX-control blocker — will be offered for users of older versions of Windows and Internet Explorer (IE).

Microsoft never publicly committed to providing any of the SP2 fixes for users of older versions of Windows or Internet Explorer. But company officials privately told a select group of developers earlier this year of plans to port some of the IE-specific fixes to the version of IE 6 for Windows 2000 (Service Pack 5 update).

“Trying to retrofit older technologies (which were never designed with current environment in mind) with current advancements creates a set of challenges that make it difficult for customers to deploy and doesn’t provide a level of security that we feel confident in providing to our customers. Microsoft’s decision not to port SP2 fixes to Windows 2000, in particular, doesn’t sit well with Michael Cherry, senior analyst with the Kirkland, Wash.-based “Directions on Microsoft” research outfit.

Is it ‘no’ to improvements that could be part of Windows 2000 in a future SP before it leaves mainstream support?

http://www.microsoft-watch.com/article2/0,1995,1650707,00.asp

Richard Cross, the automaker’s information security officer, warned against misleading doublespeak and promises of universal cure-alls.

“There is a temptation to go searching for a panacea, but if you find yourself speaking to a vendor and it sounds as though you are being offered a panacea, then it’s time to change the conversation,” Cross told attendees at the Gartner IT Security Summit in London this week. He added that in his view, many companies intentionally mislead customers.

The remarks drew a variety of reactions.

Ian Schenkel, managing director of security company Sygate, agreed with Cross that there are no panaceas. But he added that if there are any IT directors who have fallen for a misleading approach, it is in part because they have not done their homework. “Some IT directors are looking for the holy grail,” he said, adding that some have a tendency to only hear what they want to hear. What IT directors want to hear is that I’m the medicine man here to cure all their ills, but that simply isn’t the case. Companies should always be looking at a layered solution, involving multiple vendors. To expect a single solution is unrealistic.”

Some vendors say the problem of overselling is less severe than it used to be. Simon Perry, vice president of security strategy at Computer Associates International, said: “Five years ago, it was certainly true that most antivirus vendors were talking things up, but a growing sense of maturity and responsibility in the industry has definitely seen this decline.” Perry warned that companies that do oversell are in danger of not being taken seriously and jeopardizing their business. He said that typically it is smaller companies attempting to gain recognition in a crowded marketplace that may make bolder claims.

Schenkel conceded that the 1990s weren’t great days for honesty within the industry, or for the image of the IT vendor overall, but he added that much of the current negative press addresses little more than the kind of marketing that is rife in any competitive industry. “There is always going to be an element of jostling, with companies claiming theirs is the best product on the market, but that is just the software industry,” he said. “The bottom line is that companies still have to back up their claims.”

David Guyatt, CEO at Clearswift, told Silicon.com he would support any industry initiative and codes of practice that would effectively expose any company making exaggerated claims.

http://news.com.com/Toyota%3A+Some+security+firms+promise+too+much/2100-7355_3-5377287.html?part=rss&tag=5377287&subj=news.7355.5

Microsoft has published the patch through its Web site. It fixes a problem that installing XP SP2 creates with VPNs and can be downloaded here.

Once installed, XP SP2 can cause users to see a ‘cannot establish a connection’ message if a the machine tries to connect to IP addresses in the loopback address range, according to Microsoft’s Web site.

However, Redmond won’t be expecting too many hits on the patch yet. XP SP2 has only reached a fifth of the people Microsoft had hoped, missing its target by 80 million. The patch is the second Microsoft has been prompted to offer following the emergence of XP SP2.

Microsoft’s CRM product also needed a fix to become compatible with the service pack.

The VPN fix is one of the downloads that features in a pilot programme to test if users’ licences are genuine.

To download the fix, users are required to have their licences validated through Microsoft’s website.

http://news.zdnet.co.uk/software/windows/0,39020396,39167556,00.htm