Security News Curated from across the world
Among other things, the report proposes educating Web developers on secure coding techniques; adopting more behavior-based protection; enabling protection engines to understand JavaScript; and encouraging Website remediation and better content-filtering by browsers.
http://www.darkreading.com/document.asp?doc_id=135609
Antivirus software will account for more than 50 percent of the total security software revenue market in 2007, according to the calculations by analyst Gartner.
Gartner principal research analyst Ruggero Contu said that traditionally, the security software market has been dominated by “best-of-needs” vendors, but the market is now starting to see a gradual consolidation around fewer players.
http://www.news.com/Gartner+Antivirus+is+biggest+security+expense/2100-7355_3-6207989.html?tag=ne.fd.mnbc
“Over time we’ll likely see a mix with SaaS being used more heavily where it can offer benefits of cost and management, just as with general outsourcing.”
Having used Qualys’ vulnerability scanning services for over five years, ICI is at the cusp of large enterprises that have begun replacing some in-house security tools with subscription-based services. The company is currently considering use of hosted applications binary code scanning tools offered by Veracode, a relatively new start-up, under the idea that it can begin integrating multiple SaaS technologies to offload larger parcels of its security infrastructure to outside specialists, Simmonds said. “The combination of outsourced vulnerability and binary code analysis through combining Qualys and Veracode is the type of thing that could be very significant as it’s the kind of work that can truly benefit from being done once, centrally, in terms of running samples through tests. Emerging security tools like NAC systems and endpoint-oriented products, including data leakage prevention software, are among the types of technologies the ICI security chief said wouldn’t ever likely be provided via SaaS.
In the meantime Simmonds said that the chemicals behemoth will continue to seek out new SaaS security alternatives as they come to market. Philippe Courtot, chief executive of Qualys, is recognized as one of the chief evangelists of security SaaS in general, just as Salesforce.com CEO Marc Benioff has become associated with pushing the hosted applications model into the enterprise software space.
However, with 37 Fortune 100 companies among its enterprise customers and a groundswell of interest from smaller firms driving what he labeled as rapid growth at the privately-held firm, Courtot claims that security SaaS is moving quickly from an emerging phenomenon into a widely-accepted business model. “I don’t think that the time is here for certain enterprises, and some may never embrace SaaS, and for securing and scanning the endpoint, we’ll always likely see tools at the endpoint,” he said.
http://www.infoworld.com/article/07/08/22/Security-SaaS-maturing-fast_1.html
“Organizations are thinking about the BlackBerry or smartphone as an extension of the computing network, and as a terminal that’s carrying a lot of sensitive enterprise data,” says Scott Totzke, vice president of the global security group at Research in Motion, maker of the BlackBerry handheld device. “They want tools to kill information or lock it down when a handheld is lost, they want to encrypt sensitive data in transit and at rest, and there are growing concerns around compliance.”
Although Totzke denies that security concerns are slowing down enterprise uptake of RIM’s BlackBerry devices, he admits the issue has made his company’s sales process “more complex,” as customers are going to greater lengths to ensure that data on handhelds is adequately protected before they buy. In working with the Pentagon’s IT leaders on mobile device adoption, including an ongoing project to replace 1,200 existing handhelds with new BlackBerries, executives at the consultancy say that security concerns have become a primary focus. In May 2006, the highly publicized theft of a Department of Veterans Affairs laptop containing millions of servicemen’s records led to a series of heated debates on Capitol Hill.
Since then the emphasis on making information security a central part of the hardware procurement process has shifted to the fore, including for handhelds, says Will Alberts, chief executive of FOWGroup. “No one wants to end up on the front page of the newspaper, and everyone recognizes that the additional capability of storing more data on the device opens new risks,” says Alberts, who is also a member of the National Security Administration’s Joint Wireless Working Group.
In addition to the security features that RIM offers, including remote data-wiping tools and integration with two-factor authentication systems, Alberts says that government organizations are interested in utilizing encryption capabilities offered by the device maker and other third-party vendors to defend mobile data more aggressively.
“Mobility is bringing more functionality into enterprises as the devices expand, and there are great productivity gains, but on the flip side the costs of downtime and impact of potential data loss have increased significantly,” says Kara Hayes, senior product marketing manager for the security and mobility connectivity group at Nokia. Hayes says security concerns most commonly voiced by enterprise customers include issues related to lost devices, use of unsanctioned handhelds or mobile applications, and the potential for hackers to hijack the machines’ wireless data transfer systems. “With encryption, companies are figuring out that they need to know who the users really are and what type of functions they are going to use; they understand that they need to have different types of policies and deploy different levels of encryption to the necessary users, and not necessarily everyone,” Hayes says. “If an individual is a hard-core user of e-mail, messaging, or mobile [CRM] tools, they are at higher risk and need this type of protection,” Hayes says.
“The mature IT organizations that bring network security people to the table during the decision-making process are the ones who are doing the best job,” Lobel says. “And people need to have these conversations about the risks and solutions in business terms so that everyone involved understands; it’s hard to tell the CEO no when he wants something, so it’s important to explain things in way that everyone grasps.”
One company, F-Secure, is sourcing its security applications through wireless carriers in an effort to stake a claim in the mobile device space. According to F-Secure officials, bundling security into wireless contracts and allowing operators to offer additional device defense services will prevent enterprises from having to deal directly with a wide array of vendors, thereby securing mobile initiatives in a more cost-effective manner.
Moreover, with security part of the package, end-users will also be more likely to use their smartphones in more interesting ways, says Curtis Cresta, general manager of F-Secure North America. “The critical mass of smart device users is changing perceptions of adoption; much as with laptops, there has been a natural evolution with security, and a growing number of enterprises are now coming to us for advice,” Cresta says. “For instance, there has previously been a bit of resistance to pushing business applications out to handhelds, and applications companies have even come to us looking for help selling their products, but the market appears to be coming around, and having better security available from the carriers is a significant part of that.”
Sprint Nextel, for example, offers Sprint Mobility Management. Available for roughly $8 per user, the portfolio includes compliance, data protection, and anti-virus services for handhelds, along with other nonsecurity capabilities.
In addition to researching device capabilities, carrier services, and aftermarket technologies to help protect mobile devices, analysts advise enterprises to look at advanced handhelds in the same way they have come to view laptops and other technologies from a security perspective.
http://www.infoworld.com/article/07/08/21/34FEmobilesecurity_1.html
So-called “defense-in-depth” is just another way of saying “you’ve got a bunch of technologies that overlap and that don’t handle security in a straightforward manner,” says Alastair MacWillson, global managing director of Accenture’s security practice. “It’s like putting 20 locks on your door because you’re not comfortable that any of them works.”
Yet a case can be made that respondents aren’t worried enough, particularly about lost and stolen company and customer data. Only one-third of U.S. survey respondents and less than half of those in China cite “preventing breaches” as their biggest security challenge. Only one-quarter of U.S. respondents rank either unauthorized employee access to files and data or theft of customer data by outsiders in their top three security priorities, and even fewer put the loss or theft of mobile devices containing corporate data or the theft of intellectual property in that category.
This lack of urgency persists despite highly publicized–and highly embarrassing–data-loss incidents in the last year and a half involving retailer TJX, the Department of Veterans Affairs, and the Georgia Community Health Department, among many, many others. Instead, as with last year, the top three security priorities are viruses or worms (65% of U.S. respondents, 75% in China), spyware and malware (56% and 61%), and spam (40% in both countries).
So are security pros focusing on the wrong things? Yes, says Jerry Dixon, director of Homeland Security’s National Cyber Security Division. “You need to know where your data resides and who has access to it,” Dixon says. It seems as though security pros are missing the point, choosing to focus on the security threats with which they’re most familiar as opposed to emerging threats designed to cash in on the value of customer data and intellectual property. “We’re always concerned about people sharing their authentication credentials with someone else or with information leaving the organization via laptops or memory sticks,” Marreel says.
For instance, exploiting known operating system vulnerabilities is the leading method of attack in both countries–43% of respondents in the United States and a whopping two-thirds in China say so. Of the 804 U.S. respondents admitting to having experienced breaches or espionage in the past 12 months, 18% attribute the problem to unauthorized employees, and 16% suspect authorized users and employees. But that’s down from nearly 25% of companies reporting breaches in 2006.
Laptops and portable storage devices are being stolen from employees’ cars and homes in mind-boggling numbers. Last month, a backup computer storage device with the names and Social Security numbers of every employee in the state of Ohio–more than 64,000 records–was stolen from a state intern’s car. In April, the Georgia Department of Community Health reported the loss of 2.9 million records containing personal information, including full names, addresses, birth dates, Medicaid and children’s health care recipient identification numbers, and Social Security numbers, when a computer disk went missing from service provider Affiliated Computer Services, which was contracted to handle health care claims for the state. “If a partner or service provider has access to any of our data, we want a security paragraph written into our contract that gives us the right to perform a security audit against them and to perform these audits regularly,” says Randy Barr, chief security officer of WebEx, a Web-conferencing company.
Still, 42% of respondents say data leakage is bad enough that employees should be fined or punished in some way for their role in security breaches, once those employees have been trained. Consultant MacLean takes an even tougher tack: “Termination is pretty severe, but in some cases it’s appropriate, as is civil or even criminal prosecution.”
A significant number of respondents want to put the responsibility for porous security on the companies selling them security technology. Forty-five percent of U.S. companies and 47% of companies in China think security vendors should be held legally and financially liable for security vulnerabilities in their products and services. Some of the unease about corporate IT security may stem from the fact that most companies don’t have a centralized security executive assessing risks and threats and then calling the shots to address these concerns.
The process for setting security policy in most companies is collaborative, and groups comprising the CIO, CEO, IT management, and security management all have input. Eisenhower Medical Center doesn’t have a chief information security officer, instead relying on its general counsel to make regulatory compliance decisions, and on CIO Perez, working with system administrators, to set security policy. “We gather information from each director in each department to find out what systems and data they need access to,” Perez says. “The doctors want easy access, and we’re trying to make it more secure.”
The number of chief information security officers has grown significantly in the last year. Roughly three-quarters of survey respondents say their companies have CISOs, compared with 39% in 2006. CISOs predominantly report to the CEO or the CIO.
When it comes to the ultimate sign-off, however, half of U.S. companies say that the CEO determines security spending.
In the United States, the greatest percentage of respondents, 37%, say their companies assess risks and threats without the input of a CISO, while an astounding 22% say they don’t regularly assess security risks and threats at all.
In the United States, the portion of IT budgets devoted to security remains pretty flat; companies plan to spend an average of 12% this year, compared with 13% last year. China, on the other hand, is on a security spending spree: The average percentage of IT budget devoted to security this year is 19%, compared with 16% in 2006. It’s interesting to note that 39% of U.S. companies and 55% in China expect 2007 security spending levels to surpass those in 2006.
If it all sounds overwhelming, don’t panic. While information security has gotten more complex–as attackers alter both their methods and their targets, and companies layer more and more security products on top of each other–the good news is that the measures required to plug most security holes often come down to common sense, an increasingly important quality to look for in any employee or manager handling sensitive data.
http://www.darkreading.com/document.asp?doc_id=129128&WT.svl=cmpnews1_1
Among the respondents to the emedia survey, the chief security concerns were about virtualization patching and updates (32 percent), guest-to-guest attacks (27 percent), and the addition of new host software (22 percent).
IT professionals plan to attack these threats by taking various safety measures, including staff training/improving understanding (51 percent), patching/updating/hardening servers (38 percent), using firewalls (30 percent), and separating networks/subnetting/routing (25 percent).
http://www.darkreading.com/document.asp?doc_id=127420&WT.svl=news1_2