Category: News

Oracle hopes to take IGF to a standards body such as W3C, OASIS or the Liberty Alliance, for further development at a time when Web security is a huge area of concern for corporations concerned about meeting federal regulations requiring stringent privacy policies.

To date, specifications from the Liberty Alliance, Higgins Project and Microsoft enable businesses to gather personal data from customers and bring it safely into the enterprise system for use among partners, suppliers and customers. Nobody is tracking which application the personal data, which can include PINs, Social Security numbers or even credit card and bank account information, ends up in and whether that data is being used appropriately and by authorized personnel. For example, a patient’s medical history should only exist as a contract between the patient and the primary care physician, not to a nurse practitioner or insurance broker.

IGF offers a standard way for corporations to define policies to securely share sensitive personal information between applications and identity sources.

Rolling IGF into a standards body should also make the specs more appealing to Oracle rivals that may be hesitant to join the effort because the software giant is its chief architect, Jasuja said. For example, Jasuja said that some of the vendors Oracle invited to join IGF are taking a wait and see approach, including Microsoft (Quote), IBM (Quote) and BEA Systems (Quote), are reticent to come aboard because Oracle is fueling the framework.

http://www.internetnews.com/security/article.php/3646026

It’s no surprise then, that business executives are beginning to question what they’re getting for their IT security spending. Their tolerance for technospeak such as distributed denial of service attacks and buffer overruns is rapidly decreasing. Networks were private and built around proprietary protocols. Then seemingly overnight, applications were turned inside out. Private networks gave way to the Internet for all communication and information sharing. Worms and viruses became the norm and costs from security-related business interruption skyrocketed.

In its early phases, senior executives primarily cared about containing the security problem and let the technology experts decide what to do. As budgets increased, the technology became at once more sophisticated and numerous, and eventually multiplied into a seemingly unlimited number of subcategories and products. In this rapid spend cycle, IT security products emerged as standalone solutions, incapable of working in an ecosystem or sharing information among one another.

Are IT security teams equipped to think about “results” when they can barely keep up with the administration and information overload from all those products they acquired? Executives set goals based on identified metrics, and then measure and manage to the established goal. ROI is great when the goal is to increase revenues or reduce costs. When all the technology talk is set aside, the goal of IT security can be simply stated as minimizing risk at the lowest possible cost.

Organizations will demonstrate how they are managing risk across their information systems and networks and compare today’s results to last week, last month, last quarter, last year. And by comparing risk trends with security spend, executives will clearly understand how their investment in security is being managed, and the effectiveness of that spend.

But should such an event occur, organizations will have clearly documented processes and metrics that prove a standard of due care was in place.

Measuring costs are easy, so let’s focus on measuring risk. For example, advanced vulnerability and risk management systems can continuously identify and profile assets on a network to objectively and automatically measure vulnerability risk, configuration and security policy compliance and other specific metrics to produce a risk “score” for each device. These asset risk scores can then be aggregated across the entire network and reported by region, application, operating system, business unit and numerous other ways.

http://www.it-observer.com/articles/1282/measuring_security/

Commercial websites are very much on their own when it comes to protecting themselves against a flood of traffic that can deliberately knock their business offline for days at a time during a distributed denial of service, or DDoS, attack.

What ISPs currently offer as standard is stone-age in terms of sophistication and more centred on protecting the ISP’s network than cleaning out DDoS traffic and ensuring that legitimate traffic reaches the affected sites.

DDoS attacks are not a problem at the core, where we have acres of bandwidth, but as it gets out to the edge, where the routers and switching hardware is less substantial, then it can be quite damaging. ACLs, or Access Control Lists, summarily block access to the network from ranges of IP addresses containing DDoS traffic, or to the target URL. But this blanket approach makes no allowance for legitimate traffic, and partially accomplishes the DDoS attackers’ goal, in rendering the target site unavailable or unusable. Neither the ISP or victim are satisfied with the results.

One online gambling site, for example, uses DDoS mitigation specialist Prolexic to direct traffic through its datacentres when under attack. It’s expensive, but not as expensive as losing literally millions of pounds in unplaced bets if – over a key sporting weekend – the site is taken down by an attack. It’s a gamble they can’t afford to lose. Chris Tolson, Infrastructure Manager at a large online gambling company, said: ‘We would struggle to handle with our current bandwidth constraints and the hardware we have in place to fight an attack. It is vital that legitimate traffic continues to come through to our website even while we’re under attack and we do not know of anyone other than Prolexic who can ensure this with today’s increasingly strong and tenacious attacks,’ he added.

Keith Laslop, president of Prolexic said: ‘I’ve seen them on forums where you can hire bots for next to nothing.

http://www.pcpro.co.uk/security/news/98815/bt-to-make-ddos-mitigation-affordable.html

“SMEs have to realize that just because they are small, it doesn’t mean they won’t be targeted. Bad guys target wherever they can get money. Individuals working on peer-to-peer networks often don’t realize they’re sharing the whole contents of their drive. You can find Homeland Security vulnerability assessment documents online from employees (using P2P).”

However, Schmidt said that SMEs will eventually start using managed software security services, with third-party providers managing both low-cost application level security and end-point hardware. They want automatically self-healing and self-configuring software,” said Schmidt.

Small businesses must take security into account in their planning and decide whether to outsource security, invest in training or allocate more resources. If a small enterprise does have a full-time IT manager, that manager should become familiar with security standards such as ISO 17799, he said.

McMurdie said that computer security should follow common-sense procedures.

http://news.com.com/Small+companies+ignorant+of+security/2100-7355_3-6137381.html?tag=ne.fd.mnbc

But Ted Julian, vice president of marketing for AppSec, which sells vulnerability scanning tools for databases, says the lopsided vulnerability count may be more a function of where the more valuable corporate data typically lies — in the Oracle database. “I see plenty of companies that have confidential data in SQL Server, Oracle, DB2 and Sybase. It is certainly not as if it all sits on Oracle,” he says.

But either way you slice it, hacking a database is like striking gold, whether it’s via a Web app or database bug — or both. “If you can break into a Web application, you can get access to the database using the same application,” Friedrichs says.

And you can’t count on that firewalled DMZ to protect your database anymore: Databases are most at risk to an insider threat, ESG’s Ogren says, and these attacks don’t typically use vulnerabilities at all.

http://www.darkreading.com/document.asp?doc_id=110881&WT.svl=news2_3

“There has been a lot of spending on network security, but the perception is there is not a lot of risk in that area,” says Forrester senior analyst Tim Sheedy. Sheedy claims that in a few years IT security will be measured much like other business metrics. Businesses will be able to factor in the actual information security risk, based on factors such as employee behaviour, system readiness and the financial ramifications of employees who expose an organization’s most sensitive information — either willingly or by accident. “Putting actual metrics — and particularly financial metrics — around security is going to be a major trend,” Sheedy said.

By 2010, says Pullen, industries like retail, construction and finished goods will have to deal with the same online nasties that plague online banking today — and most won’t be ready.

“In 37 months time I think there will be a public company either forced into chapter 11 (US bankruptcy code) or forced into bankruptcy in Australia because of a security breach that either resulted in goods being stolen from them or an incident with such an impact a company is forced to shut down,” he said.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9005164&taxonomyId=17&intsrc=kc_feat&WT.svl=bestoftheweb1