Category: Trends

Companies have to rely on staff to observe reasonable security practice, on partners not to pass on malware, and so on. Just like the financial markets, a big part of security is trust. Because complex networks and security deployments throw out Gigabytes of log data every day.

A recent IBM survey of 700 European IT managers highlighted the scale of the issue. Over 45% received more than 4,000 security events per second.

Although they’re vital, security systems such as IPS, IDS, firewalls and anti-virus also create problems by generating false positive alerts, often hiding emerging threats from the IT team. This volume of data swamps IT teams, and makes it almost impossible to prioritise potential threats. Perhaps the most critical issue is delayed action.

The biggest cause is insufficient alert context. Firewalls and intrusion systems don’t understand the business importance and vulnerabilities of all systems within the organization. For example, an attempted malware infection of a web server may be reported as a high-priority event by the firewall, even if systems have already been patched against it.

This is the ultimate aim of security management: understanding and prioritizing reported activities in context. This gives the IT team the ability to filter the noise, and focus on real threats.

A SIEM solution automates the collection, correlation and contextualization of security log data and events, which puts what’s happening on the network into perspective — removing the irrelevant noise, and enabling focus on the important events.

http://www.net-security.org/article.php?id=1195&p=1

Cyber Cartels, groups of young and modern cyber criminals likened by VeriSign iDefense to drug cartels of the 1980s, targeted commercial — not individual — banking accounts for fraud operations and security measures meant to protect those accounts and routinely defeated the protections.

“The cyber security landscape has fundamentally changed where ‘script kiddies’ no longer perpetrate the lion’s share of malicious activity online,” said Jason Greenwood, vice president and general manager, VeriSign iDefense Security Intelligence Services.

http://www.marketwire.com/press-release/Verisign-Inc-NASDAQ-VRSN-930692.html

The endpoint security tool vendor hopes the report will help drive users to try out its “clientless” management tools, which it says can take a more accurate reading of the status of AV software on remote endpoints.

In many cases, users had turned off the antivirus software, thinking that would make their computers run faster, the researchers say.

“What we’re seeing are companies paying Symantec, McAfee, and others for protection that is only working about 75 percent of the time,” adds Alan Komet, vice president of marketing for Promisec.

http://www.darkreading.com/security/antivirus/showArticle.jhtml;jsessionid=EA1KQQBHQNWVKQSNDLPCKH0CJUNN2JVN?articleID=212500149

Each application on the list has the following characteristics: Runs on Microsoft Windows. Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

To read the full list of applications, which includes products from Symantec, Yahoo!, Trend Micro, Sun Microsystems and more, visit here (http://bit9.com/landing/2008vulnerableapps.php) to download the research note.

http://www.darkreading.com/security/app-security/showArticle.jhtml;jsessionid=W4TNO0P1S4NS2QSNDLRSKH0CJUNN2JVN?articleID=212400451

Quantifying returns on information security projects can be a struggle, often because it’s hard to put a dollar value on a crisis averted. This year, a bad economy forces decision makers to squint even harder at proposals. Even so, survey results show companies are buying and applying technology tools, including software for intrusion detection, encryption and identity management, at record levels. However—and this is serious, folks—too many organizations still lack coherent, enforced and forward-thinking security processes, our survey shows.

While 59 percent of respondents said they have an “overall information security strategy,” that’s up just two points from last year’s survey and it’s not enough, says Mark Lobel, advisory services principal at PricewaterhouseCoopers. Two elements, Lobel says, correlate with lower numbers of security incidents: having a C-level security executive and developing the aforementioned security strategy.

But disappointing numbers piled up this year. For instance, 56 percent of respondents employ a security executive at the C level, down 4 percent from last year. You comb network logs for fishy activity, but just 43 percent of you audit or monitor user compliance with your security policies (if you have them). This is up 6 percent from 2007, but still “not where we need to be,” Lobel says.

As a result, security is still largely reactive, not proactive. More-sophisticated organizations will funnel data from network logs and other monitoring tools into business-intelligence systems to predict and stop security breaches.

So along with encryption fanatics and identity management experts, an infosec team needs statisticians and risk analysts to stay ahead of trouble and keep the company name off police blotters. Still, while our survey illuminates continuing problems, in discovering the problems, we also see a path to safer data for companies that, yes, apply technology but also develop processes and make them part of everyone’s everyday work. What we have to do now is examine our failings, then act.

The Big Picture: Technology Reigns Money really is power, isn’t it? When asked to indicate any sources of funding for information security, 57 percent of survey respondents named the IT group and 60 percent cited functional areas such as marketing, human resources and legal as major providers. Just 24 percent indicated a dedicated security department budget. With the IT group a strong force, technology becomes the answer to many security questions. To someone with a hammer, everything looks like a nail, according to the old saw.

Divert potential phishing attacks with spam filters.
Stymie laptop thieves by encrypting corporate data.

If there’s a security tool out there, our survey pool uses it. Companies have realized they must do a better job disposing of outdated computer hardware, for example, wiping disks of data and applications. Sixty-five percent of respondents now have tools to do that, up from 58 percent last year.

More organizations than ever are encrypting databases (55 percent), laptops (50 percent), backup tapes (47 percent) and other media.

Use of intrusion-detection software also is up: 63 percent this year compared with 59 percent last year.

And installing firewalls to protect individual applications, not just servers and networks, increased to 67 percent from last year’s 62 percent.

Despite these technology-oriented gains, though, disturbing trends continue in the areas of security processes and personnel—some negate any protection an IT budget can buy. For example, encrypting sensitive data makes good sense, but such technology can’t stop an employee from flouting policies concerning how that data should be handled. If the goal is to secure information, to make it truly safe, you’d better develop processes and procedures for putting your nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to secure information, says Dennis Devlin, chief information security officer at Brandeis University. Devlin reports to Brandeis’s vice president and provost for libraries and information technology. He’s seen it at Brandeis, since joining last year, and at Thomson Corp., now called Thomson Reuters, where he was chief security officer for seven years. For example, employees sometimes fall for e-mail scams and open attachments that unleash malicious software such as key-stroke loggers that record passwords and rootkits that take control of operating systems.

Just 41 percent of those surveyed require employees to undergo training on the corporate privacy policy and practices, up incrementally from last year’s 37 percent.

Checklist Security Regulations such as the Health Insurance Portability and Accountability Act for medical data, Sarbanes-Oxley for financial data and the Payment Card Industry standard for credit card data continue to move executives to action. For example, 44 percent of respondents say they test their organization for compliance with whatever laws and industry regulations apply, up from 40 percent last year; 43 percent say they monitor user compliance with security policy, a healthy increase from last year’s 37 percent. Many organizations aren’t doing much beyond checking off the items spelled out in regulations—and basic safeguards are being ignored, says Karen Worstell, a managing principal at the consulting firm W Risk Group, former chief information security officer at Microsoft, and former CISO and VP of IT risk management at AT&T.

http://www.csoonline.com/article/454939/The_Global_State_of_Information_Security_

Gostev comments on other revelations from the top twenty, “A significant amount of the attacks on users’ computers stem from various script downloaders. Such a Trojan downloader -Trojan-Downloader.WMA.Wimad.n – returned to the ranking in second place in September. This multimedia file exploits a vulnerability in Windows Media Player to download various Trojans.

In Kaspersky Lab’s top twenty ranking of the most common malicious programs among all infected objects detectedon users’ computers the changes were minimal compared to August with only four new entries (3rd, 5th, 15th and 20th), however the majority of the programs have file-infection capabilities.

Net-Worm.Win32.Nimda,which unexpectedly claimed first place in August2008, has been replaced by Virus.Win32.Xorer.duat the top of the ranking.

http://www.tmcnet.com/usubmit/-kaspersky-lab-kaspersky-lab-reports-significant-increase-in-/2008/10/03/3684183.htm