Category: News

Enterprise Rights Management (ERM) is an umbrella term for products that mix elements of intellectual property protection with document control.

Unlike digital rights management technologies that strive to manage consumer use of published media, ERM focuses on business documents and data, seeking to control their creation, use and distribution. Rights management systems typically rely on servers operating in the background performing such functions as applying policies to content, authenticating users and granting rights. Rights management vendors and products have differing approaches and architectures.

In a nutshell, rights products can:
– Encrypt content;
– Assure that only the intended recipient can open the content;
– Control the recipient’s ability to copy, print, forward, alter or otherwise tamper with the information;
– Revoke access rights or expire the content itself to prevent further access; and
– Log all of the above to an audit trail.

Rights management vendors and products have differing approaches and architectures. SealedMedia, for example, works on the premise that content sent to external users gets returned to the sender once the sharing process is done. Liquid Machines sees rights management as enabling collaboration among trusted parties and focuses on usability — the idea that policy application and consequent document access should be as unobtrusive to processes as possible.

Some products — usually those that require server connectivity — allow rights to be changed even after the recipient has accessed the content.

Rights management shouldn’t be confused with records management. Although access rights to content can be expired using a rights management system, the content itself isn’t always destroyed, as it can be by a records management system. Losing the encryption key on a rights-protected document, for example, disables the recipient’s access to it, but the document itself may stay on the recipient’s drive.

Vendors such as PSS Systems offer a records management foundation and concentrate on applying company policy to internal documents so they can be controlled from creation to disposition, regardless of where they reside.

The Plan:
– Define the risks;
-Determine what content is worth protecting;
-Identify levels of trust and appropriate controls;
-Prescribe appropriate security for the content and the situation;
-Determine what assurance must be provided that content reaches only the intended recipient(s);
-Determine what should happen when content should no longer be shared; and
-Describe who has the authority to apply policies and what happens if policies conflict.

http://www.securitypipeline.com/49400427

The National Highway Traffic Safety Administration, part of the U.S. Department of Transportation, will give Digimarc a $1 million grant to collaborate on the study with states.The program will examine the possibility of creating licenses with embedded digital watermarks that can be read by machines operated by police officers, retailers and other people.

“Part of the value is that this shows good cooperation between federal and state governments, a number of which are already deploying the technology,” said Reed Stager, a Digimarc vice president. “This can be used to increase highway safety; it can reduce underage drinking…and also has potential to help reduce ID theft and fraud.”

Although driver’s licenses are ordinarily overseen by each state, the federal government is exploring ways to make such identification more secure, as part of an effort to improve highway safety and reduce counterfeiting. The federal drive for more secure ID has also been given impetus by concerns about homeland security. Many state driver’s licenses already have magnetic strips containing data, such as age, about their holders. This technology is built to commonly available specifications and is relatively easy to counterfeit, however.

Digimarc says its “covert watermarking” technology would provide an additional layer of security, since it would be harder to mimic. The Beaverton, Ore.-based company said it plans to use the $1 million grant to help fund state implementations of the watermarking technology, as well as to help establishments such as state-owned liquor stores to purchase card readers.

The pilot program is expected to be completed in late 2005, the company said.

http://news.zdnet.com/2100-1009_22-5390619.html?tag=default

According to the Meta Group, passwords aren’t cutting the mustard because of both organizational and user failings, as well as a lack of cost-effective alternatives.

“Enterprises are pretty frustrated with passwords,” said Earl Perkins, vice president with the firm’s security and risk strategies group. On the organizational level, Perkins said that passwords’ failings range from enterprises wasting time creating convoluted policies to spending too little time protecting crucial applications.

On the end-user front, meanwhile, passwords are ineffective when people have too many to maintain. But the issue with password protection isn’t just numbers, said Perkins.

“From a cultural standpoint, many individuals don’t believe the value of the password reflects the value of the assets it protects.

The solution that enterprises are looking for is a low-cost way to add strong authentication to identity management. Among the possible additions or alternatives to passwords are such concepts as tokens, smart cards, and PKI-style services. “But it’s going to take someone willing to drive down the price of, say, tokens to create a low-cost solution,” he added.

There are hints that that might happen as early as the end of 2004 or the beginning of 2005, Perkins said, if only because rivals of RSA, the dominant player in the identity management market with its SecureID, want to break its grip. “If a competitor can shake that tree, things will loosen up.

One of Meta Group’s clients, for instance, wanted to deploy a token-based authentication to its entire 60,000+ employee workforce, but the price tag was simply too high.

Instead, companies tend to apply the higher-cost, but more secure, authentication to higher-value assets, such as servers, and leave passwords, as ineffective as they are, to defend other assets, like desktops.

http://www.techweb.com/wire/security/47900125

This isn’t the first time that phishers have used the FDIC as a disguise to trick consumers.

Earlier this month, the Anti-Phishing Working Group detected a less sophisticated scam that tried to get users to give up their credit card account numbers, Social Security numbers, and PINs.

http://www.securitypipeline.com/news/47902805;jsessionid=H4IZU5N52KWUCQSNDBCCKHY

The decision: No SP2 fixes — not even ones like the SP2 pop-up blocker or the ActiveX-control blocker — will be offered for users of older versions of Windows and Internet Explorer (IE).

Microsoft never publicly committed to providing any of the SP2 fixes for users of older versions of Windows or Internet Explorer. But company officials privately told a select group of developers earlier this year of plans to port some of the IE-specific fixes to the version of IE 6 for Windows 2000 (Service Pack 5 update).

“Trying to retrofit older technologies (which were never designed with current environment in mind) with current advancements creates a set of challenges that make it difficult for customers to deploy and doesn’t provide a level of security that we feel confident in providing to our customers. Microsoft’s decision not to port SP2 fixes to Windows 2000, in particular, doesn’t sit well with Michael Cherry, senior analyst with the Kirkland, Wash.-based “Directions on Microsoft” research outfit.

Is it ‘no’ to improvements that could be part of Windows 2000 in a future SP before it leaves mainstream support?

http://www.microsoft-watch.com/article2/0,1995,1650707,00.asp

E&Y contacted 1,233 organizations representing 51 countries for its “Global Information Security Survey 2004,” a report meant to gauge enterprise perceptions of security. “Perhaps the remarkable thing is how little attitudes, practices, and actions have changed since 1993 — during a period when threats have increased significantly,” the report states.

The survey found that only 28 percent of global respondents noted “raising employee information security training or awareness” as a top 2004 initiative, despite the fact that a “lack of security awareness by users” was their top IT security obstacle.

Sixty-seven percent of the organizations surveyed view information security as being an important part of achieving their organizations’ overall business goals and objectives.

Employee misconduct involving information security was noted by 60 percent of respondents as being a high-level concern for organizations over the next 12 months. They were noted by 68 percent of respondents as being responsible for an unexpected or unscheduled outage of a critical business system.

In contrast to the incidents reported from those external threats, incidents originating from former or current employee misconduct were noted by only 24 percent of respondents.

In 2003, 21 percent said the spending would increase significantly while 40 percent said it would increase slightly.

Earlier this year, research firm IDC reported 59 percent of its survey base indicated that IT security spending would increase.

Company chiefs are aware of the threats of information security breaches posed by their employees, but are failing to safeguard their assets against insider attack. Keeping control of security will only get more difficult as organisations move toward increasingly decentralised business models through outsourcing and other external partnerships, Ernst & Young’s 2004 Information Security Survey warns.

“Companies can outsource their work, but they can’t outsource responsibility for its security,” Edwin Bennett, global director of Ernst & Young’s technology and security risk services, said.

“Fewer than one-third of those companies conduct a regular assessment of their IT providers to monitor compliance with information security policies – they are simply relying on trust.

Organisations have to demand higher levels of security from their business partners.”

The Ernst & Young survey found that organisations remain focused on external threats such as viruses, while internal threats are consistently under-emphasised. Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital. And that leads to “damage from insiders’ misconduct, omissions, oversights, or an organizational culture that violates existing standards”.

More than 70 per cent of the 1,233 organizations questioned by Ernst & Young failed to list training and raising employee awareness of information security issues as a top initiative.

That’s just not good enough, it says. “More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities – and convert them into its strongest layer of defence,” Ernst & Young’s Bennett concludes.

http://www.internetnews.com/stats/article.php/3412331
http://www.theregister.co.uk/2004/09/23/insider_risk/