Category: News

They think security pros need to worry more about retaining the best staff and should be careful not to become too consumed with regulatory compliance.

Michael Barrett, CISO at eBay money-transfer service PayPal, says there is always an undercurrent of panic in the event that something blows up. “Most data centers are held together by sheer heroic effort,” he says. When Microsoft discloses software vulnerabilities, as it typically does every first Tuesday of the month, “We’re scurrying about to get patched, and I worry: What will the bad guys do before we patch everything?” Because PayPal is a global company, Barrett says he worries whether the company has the right interpretation on legislation and regulation related to data privacy around the world and the right controls in place.

His long-range concerns have him asking questions such as: In terms of stopping criminals and attackers, do we have the right investment mix and the right set of projects? Are new threats coming up that we need to re-balance that portfolio?

At motion-picture processing and games-manufacturing studio Technicolor in Camarillo, Calif., whose clients include DreamWorks SKG, Sony Pictures Entertainment and Paramount, the top worry is attackers who might steal the entertainment content.

Risk management can sound like a “Mission Impossible” episode in large organizations with many lines of business, tens of thousands of employees, and lots of applications and networks to keep an eye on. “I’m always on call,” says Jalal Zamanali, senior vice president of IT and CISO at Temple-Inland in Austin, Texas, and its subsidiary Guaranty Financial Services, with combined interests in corrugated packaging, forestry, real estate and financial services. Although he has a security staff of 17 to stay abreast of IT projects, Zamanali says his top concern is making sure security controls are on track in terms of regulatory compliance rules related to the Sarbanes-Oxley and Gramm-Leach-Bliley laws. “The chief audit officer has to translate these laws into control points,” Zamanali explains. Consequently, Zamanali — who reports to the chief risk officer — makes sure he meets with the chief audit officer about once a week to discuss compliance issues.

Beth Cannon, CSO at merchant bank Thomas Weisel Partners in San Francisco, says audits to provide evidence that security policies are enforced in IT systems and processes are her main worry.

Consultants and other industry experts don’t dismiss the issues that CSOs and CISOs are worrying about, though they recommend a host of things that might warrant even more of security professionals’ attention. CSOs should worry about losing their jobs because all too often their stance on security is seen by upper management as overly technical or a bad fit, says Jon Gossels, president and CEO of consultancy SystemExperts in Boston. Brad Johnson, vice president at SystemExperts, say one key worry that CSOs should have is where and how they’re going to find and retain the best security-savvy employees.

The Palm Harbor, Fla.-based professional organization International Information Systems Security Certification Consortium (ISC2) has had 48,000 security professionals pass its exam for Certified Information Systems Security Professional and other certifications that can often be found listed on the business cards and resumes of CSOs and CISOs.

Zeitler, whose 30-year career included positions as CISO at Volkswagen Credit and head of security at Charles Schwab and Fidelity Investments, says a top concern for CSOs should be whether they can find personnel with the right skills at the right price. He points to computer forensics, which requires people trained in procedures to capture potential evidence and preserve it appropriately, as an example.

Howard Schmidt, the former security chief at eBay and Microsoft and former White House cybersecurity advisor, says there’s no doubt that regulatory-compliance issues are going to be a top worry for the CSO or CISO.

http://www.computerworld.com.sg/ShowPage.aspx?pagetype=2&articleid=5254&pubid=3&tab=Home&issueid=112

“Web 2.0 is all about openness and freedom,” said Kris Lamb, a director with IBM’s Internet Security Systems, in an interview at Interop.

As companies rush to embrace this trendy new media phenomenon, IT and security managers are being warned to slow down the process and make sure they think through their security.

Web 2.0 technologies — the kinds that promote interactivity and community-building and made MySpace and YouTube household names — are starting to gain a foothold on more conventional Web sites. An automobile maker, for instance, might start a social network or blog for customers to write about their experiences with their vehicles or to post pictures or videos from their favorite road trips.

But the advantages of creating these communities and enriched Web sites also come with the same risks that plague the Web 2.0 giants. Hackers and spammers can join MySpace to create their own pages, riddled with malicious code, to infect their social-networking peers. And hackers are beginning to target vulnerabilities in Ajax applications, which help make the Web 2.0 Web sites so dynamic.

“It’s a gold rush right now,” said David Cole, director of Symantec Security Response, in an interview at Interop.

Paul Judge, chief technology officer at Secure Computing, said in an interview that many companies are still getting their arms around traditional Web site issues, including database validation problems, and now they’re being hit with unfamiliar technologies.

Symantec ‘s Cole said IT managers need to make sure they take enough time to plan out the necessary safeguards before they jump into Web 2.0 technologies. Make sure that users aren’t allowed to use JavaScript, and assume that spammers will find the site — so set up protections and caution users from putting up too much personally identifying information, especially e-mail addresses.

http://www.darkreading.com/document.asp?doc_id=124871&WT.svl=cmpnews2_3

“I cannot emphasize enough that you must get management nailed down when it comes to virtualization. If you don’t, you are going to be in for a world of hurt in the virtualized environment,” Duncan Hill, an entrepreneur in residence at Ventures West, told Interop attendees.

Vendors at Interop such as WildPackets and InfoVista are trying to get ahead of the challenge of managing virtual environments. For its part, WildPackets announced a feature in its OmniAnalysis product that captures network traffic on virtual servers — even when it doesn’t cross network segments. With the data, network managers can troubleshoot performance problems and pinpoint in which virtual partition the issue occurred, the company says.

Separately, InfoVista announced it added capabilities to discover virtual instances alongside virtual physical resources to its VistaInsight for Servers 3.0.

Yet management isn’t the only challenge facing virtual environments. During a panel discussion at Interop, industry watchers debated how security must be updated to move away from signature-based systems and toward products that can baseline appropriate virtual behavior and isolate anomalous activity.

http://www.networkworld.com/news/2007/052307-interop-virtualization.html?WT.svl=bestoftheweb5

The Security Content Automation Protocol is an expansion of the National Vulnerability Database. SCAP is intended to help make the step from FISMA compliance to
operational IT security.

FISMA is a very thorough and comprehensive framework for security computers, said Peter Mell, NVD program manager. But it doesnt deal with diving down at low level configurations and settings where vulnerabilities are exploited.

http://www.gcn.com/online/vol1_no1/44331-1.html

That does not mean that the more widely broadcast attacks are disappearing. To get their malware past antivirus engines, some hackers are employing what Commtouch Software calls polymorphic distribution
patterns. Thats a polysyllabic way of saying that hackers are generating a large number of distinct variants of a worm or virus and releasing them in short, intense bursts. This creates many zero-day exploits,
increasing the chances of getting them past defenses before new signatures can be developed.

During the peak early in the quarter, the Storm/Nuwar malware released over 7,000 variants in a single day, Commtouch reported.

Instant-messaging and peer-to-peer networks also continue to be attractive vectors for malware. Akonix Systems reported 38 distinct new attacks on IM networks in April, the first monthly increase in the number of new IM attacks this year. Attacks on peer-to-peer networks such as Kazaa and eDonkey were also up, with 36 new attacks identified last month. Because IM and P2P often operate outside an enterprises
accepted-use policy, these applications can provide undefended rogue connections that can be exploited by attackers.

Social engineering remains a popular tool for slipping past defenses. Commtouch reported subject lines on malicious e-mail such as First nuclear act of terrorism! to entice the unwitting recipient to open and
click. If sensationalism isnt your cup of tea, there is always the more tender a bouquet of love, popular around Valentines Day. Hey, if it worked with the I love you virus, why not give it another shot?

The targeted, single-recipient e-mail is another form of social engineering. Although the volume of these is necessarily low, the rewards are potentially greater. A carefully tailored e-mail has a better chance of getting the intended recipients attention, they are harder for filters to spot and block, and the targeted network is likely to contain data worth stealing.

MessageLabs also found that the favored tool for delivering the malicious code in targeted e-mails has shifted recently. Microsoft PowerPoint files were the most common vector for delivering code in March, edging out MS Word, with 45 percent of infected attachments being .ppt files. Malicious attachments with .doc files accounted for 35 percent of the payloads, and .exe files were only 15 percent. This spike in the use of PowerPoint could be an anomaly. It apparently was driven by a single gang with an IP address in Taiwan that used the same attack file repeatedly because it had not been identified and blocked by antivirus companies.

But, anomaly or not, the increasing use of PowerPoint to deliver malware to government recipients could have unintended beneficial consequences. Just imagine the burst of productivity in government offices if agencies banned the use of PowerPoint. I know it is not likely to happen, but we can dream.

http://www.gcn.com/online/vol1_no1/44317-1.html

As of June 7, notices will list the maximum severity rating, vulnerability impact, affected software and necessary detection information for each bulletin scheduled to post the following Tuesday.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019720&source=NLT_AM&nlid=1