Category: News

It’s about how you contain” an intrusion, Sood says. “Intrusion tolerance is different than intrusion detection and intrusion prevention — it doesn’t do any detection and prevention,” he says. “….we try to contain the losses by reducing the exposure time of the server to the Internet.”

Sood, who will outline his SCIT technology this week at IntrusionWorld in Baltimore, says the basic idea is to regularly rotate Web, DNS, or other servers on- and offline to “cleanse” the exposed machine to a previously unblemished state that’s never been online — and automatically have another clean (virtual) machine take its place.

It’s a fatalistic approach to Internet-borne attacks: “Because servers are online for such a long time, if someone wants to deliberately intrude, he has a sitting duck on which he can work,” Sood says. The goal is to keep servers exposed to the Internet at sub-minute intervals, but without disrupting the application. “This seems like yet another scheme that forgets that attacks take milliseconds, not days.”

Meanwhile, Sood is licensing SCIT from GMU for his new startup called SCIT Labs. The GMU professor and his colleagues first came up with the SCIT concept over five years ago, but that was when virtualization was new, and it rendered SCIT inoperable due to performance reasons.

http://www.darkreading.com/document.asp?doc_id=153621&WT.svl=news1_6

Common security threats addressed include exploitation of software bugs to gain unauthorized access, denial-of-service attacks, exposure or corruption of sensitive data, unsecured transmission of data, use of a server breach to gain access to other network resources and use of a compromised server to launch attacks.

NIST recommended that security plans be considered from the initial planning stage because addressing security is more difficult after deployment.

“Organizations are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan,” the document said. * Standardized software configurations that satisfy the information system security policy…. Because manufacturers are not aware of each organization’s security needs, each server administrator must configure new servers to reflect their organization’s security requirements and reconfigure them as those requirements change,” NIST advised.

“The overarching principle is to install the minimal amount of services required and eliminate any known vulnerabilities through patches or upgrades,” the document said.

http://www.gcn.com/online/vol1_no1/46239-1.html

“NAC 1.0 is key in controlling who gets on the network, but the problem is there are many new kinds of nodes like inventory control devices and robots, and they all have an IP address and so users need to control them,” said Steve Hanna a distinguished engineer at Juniper Networks who co-chairs the Trusted Network Connect committee that developed the protocol.

http://www.eetimes.com/showArticle.jhtml?articleID=207501479

“The security professional’s job is becoming less technical and more managerial… It means understanding the business needs and being able to speak to business people in terms they can understand.”

This year’s ISC(2)/Frost & Sullivan survey showed a marked increase in the number of security professionals who consider “communication skills” to be a critical part of their jobs. At the same time, however, fear of security breaches and the associated fallout has brought a new level of urgency — and tension — to the security pro’s day.

In a study published earlier this week by Amplitude Research and VanDyke Software, 50 percent of network administrators surveyed said that “securing remote access” was their chief concern, reflecting a growing concern about increasingly mobile employees.

“Growing awareness of the damage caused by security breaches, together with the increasing demand for a more mobile and remote workforce, will keep the worldwide market for security software buoyant,” said Gartner, which published its annual security software forecast earlier this week. Gartner predicts that the security market will continue to grow despite a poor economy, thanks in part to growing fear about breaches and the threat they pose to business.

Schmidt, who has been a top security officer at eBay, Microsoft, and the White House, said he was surprised at the concern displayed over potential damage to the corporate reputation, given that most of the companies which have publicly disclosed their breaches have suffered only temporary embarrassment. In fact, the question now is not how precarious the security manager’s job is, but what it may evolve into, Schmidt observed. “As it becomes more about risk, security is not necessarily an IT problem.”

http://www.darkreading.com/document.asp?doc_id=151738&f_src=darkreading_section_296

Oracle follows security companies such as Symantec, Scansafe and Mcafee into the “security as a service” space. Oracle – whose service will launch later this year – says companies will be able to decouple security features from particular applications and centralise security processes.

Gartner believes security as a service will see an annual growth rate of more than 30 per cent through 2012, as companies move more broadly to using web.hosted applications. The global enterprise security market is worth more than 5.5bn annually, and is growing over 10 per cent a year, according to Canalys research.

http://seclists.org/isn/2008/Apr/0070.html

“It’s hard to believe that this Administration now believes it has the answers to secure our federal networks and critical infrastructure,” Representative Bennie Thompson (D-MS), chairman of the House Committee on Homeland Security, said in prepared remarks at the opening of the hearing on Thursday. “I believe cybersecurity is a serious problem — maybe the most complicated national security issue in terms of threat and jurisdiction… This problem will be with us for decades to come.”

The U.S. government gave short shrift to cybersecurity issues at the beginning of the decade. While the Bush Administration released its National Strategy to Secure Cyberspace in 2003, the final document significantly softened the government’s stance on securing critical infrastructure, which is primarily maintained by private companies. The Administration also collected most of the cybersecurity capabilities into the Department of Homeland Security and then failed to fund the efforts. While Congress established the position of Assistant Secretary for Cybersecurity within the DHS in 2005, the Bush Administration failed to fill the leadership role for more than a year, finally appointing Greg Garcia, a former information-technology lobbyist, to the post. In the last two years, however, the Bush Administration has focused more intently on securing government networks.

The U.S. computer emergency readiness team (US-CERT) has deployed a network-traffic analysis system, EINSTEIN, to monitor 15 agencies for possible computer intrusions.

The National Institute of Standards and Technology has created the National Vulnerability Database and worked with other agencies to create important standards for configuration management and vulnerability detection.

The latest effort by the Bush Administration is the so-called “Cyber Initiative” — a plan to minimize the number of trusted Internet connections, or TICs, and improve EINSTEIN’s monitoring on those connection to prevent attacks in real time. The Bush Administration has budgeted $30 billion over the next five to seven years for the program, according to statements by Committee members. The 2009 budget has requested $294 million for US-CERT to hire more analysts and fund the additional deployment of the system.

During Thursday’s hearing, officials from the Office of Management and Budget and the Department of Homeland Security answered the Committee’s questions on the non-classified components of the initiative.

As part of the Cyber Initiative, a major effort is under way to reduce the number of interconnections between federal agencies and the public Internet. Currently, more than 4,000 trusted Internet connections (TICs) link the federal government to the Internet, according to Robert Jamison, Under Secretary for the DHS’s National Protection and Programs Directorate. Under the Cyber Initiative, that will be reduced to 50.

The second part of the Cyber Initiative calls for improvement to the EINSTEIN intrusion detection system and the deployment of the system to monitor all 50 Internet access points. The information is analyzed on a daily basis, and so cannot detect threats in real time, DHS’s Jamison said. The original assessment, completed in September 2004, found that the EINSTEIN system did not need to have Privacy Act System of Records “because the program is not intended to collect information that will be retrieved by name or personal identifier.”

The committee also took issue with the DHS Secretary Michael Chertoff’s decision to appoint Scott Charbo, the former CIO for the department, to the position of Deputy Under Secretary in charge of implementing the program.

http://www.securityfocus.com/news/11507?ref=rss