Security News Curated from across the world
“Today’s businesses cannot grow in the absence of a healthy environment for the realization of new innovations,” said IDC Vice President Chris Christiansen in a prepared statement.
ยท And, creating a repeatable process for making risk/reward calculations for new initiatives.
http://www.securityinfowatch.com/online/IT-Asset-and-Technology-Centers/IT-security-fears-snarl-business-innovation/17857SIW364
Secure Computing is used by the world’s most demanding customers to virtually eliminate risks from cyber attacks, espionage or sabotage that may cause loss of life, property, economic loss and disruption or create devastating environmental disasters.
Timed in conjunction with the fifth annual National Cyber Security Awareness (NCSA) Month in October, Secure Computing’s Cyber Security Initiative kicks-off an intensive effort to provide corporations with informative research, tools, technologies, solutions and best practices vital for companies and federal agencies evaluating–or re-evaluating–their approach to critical infrastructure protection. Critical infrastructure comprises all computer systems that can be targets of criminal threats, industrial espionage and/or politically motivated sabotage such as the power grid, water supply, railways, nuclear energy plants and more.
Attacks on such networks can cause loss of life, threaten public safety, impact national security, or create economic upheaval or environmental disaster. It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures can exceed $700 billion USD — the equivalent of 50 major hurricanes hitting U.S. soil at once.
“Even though businesses and government agencies know they need to secure their networks, many don’t have the in-house expertise or time it takes to fully secure systems,” explained Scott Montgomery, vice president of Global Technical Strategy for Secure Computing. “We want to elevate awareness so that they understand how to change behavior to make security a high priority.” In the industries where security is paramount and network-to-network interconnection is the norm, security is not an option…it is a necessity.
With a unique combination of high-speed application layer defenses, reputation scores, geo-location control, and long history of no patches or hacks, Secure Computing can defend critical networks without jeopardizing their core functionality and availability requirements. Security is needed to protect key aspects of the network: the control system assets themselves and information about critical assets. A major urban utility company servicing over 10 million customers purchased Secure Computing’s Secure Firewall (previously known as Sidewinder) 14 years ago to protect their control network.
The data and resulting analysis will be published on the website mid-October.
http://www.ebizq.net/news/10350.html
The Shadowserver Foundation, a volunteer organization that gathers intelligence on the Internet’s dark side, has begun building a so-called “sinkhole” server that poses as those now-defunct malicious domain servers in order to find out what they left behind.
The project, which is in the early phases, will allow Shadowserver to emulate both botnet IRC and HTTP traffic as a way to study those botnets as well as find bots that remain infected by them, says Steven Adair, a security expert with Shadowserver, who revealed the new project to attendees of the OWASP USA security conference here.
“There are still a lot of [machines] communicating with” these now-defunct servers, Shadowserver’s Adair says.
Shadowserver then could trace those infected machines and alert the organizations whose machines or Web servers are still infected by the botnets, he says.
Shadowserver’s sinkhole server will be able to accept incoming traffic from infected machines as they try to communicate with their former command and control server, for example.
One infamous HTTP-based botnet Shadowserver has been studying closely is Black Energy, which traditionally has been used for distributed denial-of-service (DDOS) attacks.
“It went from a mundane botnet to stealing [credentials] and taking when it can from the same infection.”
http://www.darkreading.com/document.asp?doc_id=164571&WT.svl=news1_2
“The time to act is now, because new applications that lack basic security controls are being developed every day, and thousands of existing vulnerabilities are being ignored….The CSSLP will be a key component in better critical infrastructure protection, reduced risk of software malpractice suits and stricter adherence to industry and government regulations.”
A wide range of respected organisations have expressed their support for the CSSLP, including: BASDA, Cisco, ISSA, Frost and Sullivan, Microsoft, SANS, SRA International, Software Assurance Forum for Excellence in Code (SAFEcode), Symantec and Xerox. Several of these organisations are sending their qualified software staff through the education and examination process.
Subject areas covered by the CSSLP exam will include the software lifecycle, vulnerabilities, risk, information security fundamentals and compliance. Candidates must demonstrate four years of professional experience in the SLC process or three years of experience and a bachelor’s degree (or regional equivalent) in an IT discipline.
Colley added, “The CSSLP ensures that our first line of defense in this war – people – have the tools and knowledge to implement and enforce security throughoutthe software lifecycle.”
The first CSSLP exam is scheduled for the end of June in 2009. They will become the first CSSLP holders and be asked to contribute to the exam development process and assist in other program development tasks. Applications for the CSSLP experience assessment will be accepted from Sept. 25, 2008 through March 31, 2009, with the first education seminars slated for Q1 2009.
“As the recognised voice of the business software industry in the UK, BASDA is fully supportive of(ISC)2 in developing standards for software development that ultimately benefit business software users in providing more secure systems.” Said Jairo Rojas, Director General, BASDA (Business Application Software Developers’ Association). “To better protect customers from evolving threats, the software community must come together and incorporate security earlier in the software development lifecycle,” said Steven B. Lipner, senior director of security engineering strategy at Microsoft. “Microsoft strongly supports industry efforts to train and certify developers in security, especially those in organizations with limited resources.
Along with executive commitment, tooling, and state-of-the-art processes, certification and training are critical parts of secure development… Today’s emerging threats include several security risks which exploit the flaws and limitations of the application code for many technology products and services that businesses and individuals have come to rely on in their day-to-day lives… Earning the CSSLP certification is the first step in ensuring that personnel are aptly qualified and will help address the ever-growing need for secure software.”
CSSLP practices are expected to result in lower production costs, fewer delays, better critical infrastructure protection, reduced risk of software malpractice suits, and stricter adherence to industry and government regulations.
http://www.tmcnet.com/usubmit/-isc2-isc2-launches-security-certification-reduce-application-vulnerabilities-/2008/09/25/3670468.htm
The ultimate goal of the project is to help prevent cyber crime gaining a better understanding of different types of criminal hackers, their movements, and the types of attacks they perform, as well as their possible ties to organized crime activity and cyber terrorism.
There are so many typologies of hackers, especially if we consider why they do it and how they do it,” says Chiesa, director of communications the Institute for Security and Open Methodologies (ISECOM), which is spearheading the project. ISECOM envisions a methodology where you can identify the type of attacker who hit you based on forensic data that correlates with his or her profile.
The project includes detailed psychological profiles of script kiddies, crackers, and mercenaries, for example, and eventually will correlate honeynet data with the various hacker profiles to match behaviors and methodologies.
“I’m thinking about building a honeypot in order to act like a fake e-banking system, [or] a government Web site,” Chiesa says. “It will help to break some myths and preconception that the society and law enforcement agencies have on cyber criminals.”
Chiesa says one company that wanted to move its IT headquarters to Romania asked ISECOM to analyze the Romanian hacking scene so it could determine the risk of the move. And the United Nations Interregional Crime & justice Research Institute is using the HPP data for studying new threats, he says.
But some security experts have questioned whether it’s truly possible to reach the bad guys and get accurate information from them to actually profile them. “That’s why the whole Hackers Profiling Project was carried out by psychologists, criminology researchers, and infosec people…
http://www.darkreading.com/document.asp?doc_id=164364&WT.svl=news2_5
Starting in the fall, the company will allow companies to download its Secure Development Lifecycle (SDL) Optimization Model, which allows organizations to gauge the completeness and maturity of their own software development programs as well as identify gaps in their practices, Steve Lipner, senior director of security engineering strategy at Microsoft, said in an interview transcript posted by company online.
The SDL Optimization Model and SDL Threat Modeling Tool will both become freely available in November, the software giant said.
http://www.securityfocus.com/brief/820?ref=rss