Category: Trends

A year ago, the $10 billion-a-year insurance provider received 2.6 million spam E-mails. By November, the number had nearly doubled to 4.8 million.

As if trying to keep missives offering cheap Viagra or get-rich-quick schemes out of in-boxes weren’t enough of a job, a steadily increasing onslaught of spyware and adware is further taxing IT resources. EFunds’ Jones is working to combat all types of attacks, whether they’re brought about by spyware or other means.

UnumProvident is one of a growing number of companies beginning to investigate anti-spyware products. By and large, companies allocate more IT dollars to fighting the twin scourges of spyware and adware, while continuing to pump time and money into keeping spam of every variety under control.

Just over 70% of 400 business-technology professionals recently surveyed by InformationWeek Research will spend somewhat or significantly more money to manage spyware, and more than 60% say the same of adware. E-mail accounted for half of inbound messages in 2004, up from 40% the year prior.

Two types of small applications can be installed on PCs by specially crafted E-mail messages, “free” software downloads, and other tricks. But they steal time from IT staffers, who must handle more help-desk calls from users who can’t get rid of pop-up ads and clean up systems suffering from performance slowdowns that stealth adware or spyware installations bring on.

Kim Jones, director of global security services for electronic financial processing company eFunds Corp., knows the problems adware can cause. Criminals and hackers use spyware such as keystroke loggers and Trojan horses to capture everything typed on PCs or to take control of systems to steal user names and passwords that could be used to attack and gain access to business resources. Last summer, Jones started using MainNerve Inc.’s Adaptive Darknet Service, a network of sensors scattered about the Internet spotting hacker command-and-control networks, which is constantly updated with attacking IP addresses.

McAfee this week adds spyware blocking capability to its McAfee IntruShield network intrusion prevention app, and it’s delivering a beta version of its Anti-Spyware Enterprise Edition Module that will work with its corporate anti-virus product.

Technology already has made a dent in spam problems. UnumProvident’s Fleury has seen results: The company uses spam filtering from SurfControl plc, and despite the uptick in spam being sent to users, employees aren’t seeing many of those messages in their in-boxes.

Cox now uses two CipherTrust Inc. secure E-mail appliances, and Warlick estimates they block 99% of the 38 million spam E-mails that head Cox’s way each month.

Spam is “now a security threat,” because more spam E-mails today contain adware or spyware that users unwittingly install.

http://www.securitypipeline.com/57701881

Steve Hunt, an analyst with Forrester Research, said in the report while companies have generally treated physical security as part of the facilities department and computer security as part of the information-technology group, employee information has increasingly become integrated, allowing businesses to link the two systems.

“Locks, cameras, entry systems, and even guard desks will be upgraded to work with the same computing systems that control computer and network sign-on, identity management and security incident management,” he wrote. “Consequently, IT security vendors will rush to merge or find partnerships with their physical security brethren to respond to the new opportunities.”

The link between physical security systems and network security is another ripple emanating from the events of 11 September, 2001. Spending on such integration will double compared with 2004, reaching $1.1bn in Europe and the United States in 2005, the report said.

US government projects to integrate physical and network security, such as the Transportation Worker’s Identity Card mandated by the Transportation Security Agency and the Common Access Card used by the Department of Defense, up the lion’s share of the money being spent, Forrester predicted. The federal government has focused on integrating physical and network security following the findings of the 9/11 Commission.

http://news.zdnet.co.uk/business/0,39020645,39183941,00.htm

Just ask Apple Computer, which filed two lawsuits in December accusing insiders and partners of leaking proprietary information. In one case, Apple is suing two men it says distributed prerelease versions of Tiger, the next iteration of Mac OS X. In a separate action, it is suing unnamed individuals who leaked details about a forthcoming music device code-named Asteroid.

Apple’s not the only company that’s found sensitive internal information leaked to the public. Big names such as America Online, Microsoft and Cisco Systems have also been victims.

Research indicates that most security breaches are inside jobs. A recent Ponemon Institute survey of 163 Fortune 1000 companies found that roughly 70 percent of all reported security breaches were due to insiders.

“It’s much more glamorous to think of the hacker who works for some large cyber-crime ring,” said Larry Ponemon, head of the Tuscon, Ariz., think tank. “But in reality, those characters only make up a small percent of the problem.”

For more than a decade, corporations have erected digital perimeters to keep outsiders off their networks. But now discontented, reckless and greedy employees, and disgruntled former workers, can all be bigger threats than the mysterious hacker. And as more companies outsource portions of their business, vital company information can easily fall into the wrong hands.

Securing information from the inside has been largely overlooked by many companies. But headline-grabbing incidents such as the one at Apple, along with new federal and state regulations for protecting private information, are causing many companies to rethink their security strategies from the inside out. As a result, a whole new class of products has sprung up aimed at keeping employees and other insiders from sending confidential information outside the company. Developing new techniques In addition to products that control who gets access to what information, a slew of new start-ups focus on securing digital content and watching where it goes. Products in this category vary in their approach.

Some focus solely on protecting intellectual property from being leaked, while others also perform forensics analysis, digital rights management and security policy management. Some products from companies like Vontu and Vericept act as gateways in the network to track sensitive information that is being sent outside of the network. They monitor e-mail, instant messages, FTP files, and other electronic communications on corporate networks, sniffing for leaks of Social Security numbers and other sensitive information. They only prevent information from being electronically sent over the network. They do nothing to prevent people from downloading files or printing documents.

Jon Oltsik, senior analyst with Enterprise Strategy Group, says technology must also exist on PCs and other devices not only to monitor what data is traversing the network, but to establish and enforce policies regarding printing and downloading information onto disks or USB devices. Companies such as Authentica and Liquid Machines sit on the client machine tracking and limiting how recipients handle certain information.

“There isn’t one technology that will solve this problem,” Oltsik said. “You really need to take a combination of approaches.”

The no-tech Trojan horse Once inside a company or one of its partners, a trusted employee can do enormous damage. Often such leaks disclose the most sensitive of data. “Insiders know where the information is located and how the security systems work,” Oltsik said. “They know what information is valuable and what’s not.”

http://news.zdnet.com/2100-1009_22-5520016.html

Spending on Secure Sockets Layer Virtual Private Networks (SSL VPN) will grow at a 53% compound annual growth rate, and SSL VPNs will surpass traditional IPsec VPNs as the de-facto remote access security standard by 2008, according to a new report from Forrester Research.

In “SSL VPNs Poised for Significant Growth,” Forrester associate analyst Robert Whiteley says companies are attracted by the technology’s application-level simplicity.

Unlike IPsec VPNs, which require special client software to access the network, SSL VPN supports a wide range of devices, from desktop computers to PDAs, and applications, while offering network administrators greater granularity of user information and providing better endpoint security.

According to the report, some 44% of American businesses have deployed SSL VPNs, spending $97 million on the technology last year alone. Despite the impressive adoption rate for a technology that has been in the business mainstream for less than a year, Forrester expects SSL VPN deployments to continue to take off, with the market growing at a 53% compound annual growth rate to $1.2 billion in 2004.

SSL VPNs are already well-entrenched in the financial and business services industries and in the public sector. Driven by the need to ensure endpoint security for online services, the financial services industry can boast a 56% penetration rate, with business services just behind at 51%.

In both cases, Whiteley predicts a compound annual growth of 34% to 2010 which, though impressive, pales beside the expected SSL VPN growth in late-adopting industries. Indeed, Whiteley writes that retail and manufacturing are poised to leap into SSL VPN with gusto over the next few years.

“Retail and wholesale allocates 7.8% of its IT spend to security — more than even financial services,” he notes.

http://informationweek.com/story/showArticle.jhtml?articleID=56900844

But new challenges are emerging: the rise in fraud and identity theft, the increasing consumer demand for privacy protections, and the drive by companies to partner with other businesses to interconnect their online services. The pressures behind these new market forces are welling, and attention to will start to fundamentally shift the direction of the identity management market in 2005.

Compliance initiatives occupy center stage in IT and security projects. From Sarbanes-Oxley and the USA PATRIOT Act to HIPAA and Visa Account Information Security Standards, a common aspect of these regulations’ security and privacy components is the establishment of proper authentication practices and the appropriate assignment of privileges.

Developing, enforcing, and auditing authentication and access control policies is a core element of compliance projects. While businesses are still able to absorb the direct losses, consumers are altering their behavior, curbing their online purchasing and use of online banking services.

Whoever is accessing your systems, be it employees on your LAN or Wi-Fi network, partners on your extranet, or customers on your commerce sites, simple passwords no longer suffice as a reliable means of authentication. Businesses continue to build out and interconnect Internet-based services.

Provisioning directly addresses key compliance concerns around documentation, enforcement, and auditing of security controls. The primary value of provisioning has shifted from the ROI around self-service password reset and IT efficiency improvements to the policy enforcement and auditability around role-based access controls and centralized process management. Provisioning has eclipsed Web single sign-on in terms of both visibility and import.

HIPAA and Sarbanes-Oxley are driving organizations to adopt strong authentication technologies like smart cards and biometrics, or simply to strengthen their password policies.

E-SSO solutions have matured greatly and are deservedly getting a new look after a long period of neglect. This spans technologies as broad as Web services security, Trusted Computing, RFID deployments, and smart homes. This will manifest first in the realm of authentication and account protection, then in the realm of authorization and data protection

Identity federation moves out of the test lab.

Identity management will evolve towards a well-recognized layer of the computing stack, and vendors will develop broad portfolios of integrated components. Not only is it being rediscovered by end user organizations, but also big vendors will step up and acquire independent solutions after a long period of loose partnership activity.

http://www.csoonline.com/analyst/report3172.html

Like many migrations, these are spurred by outside forces ranging from increasingly active malware writers to regulatory pressure from Gramm-Leach-Bliley (GLB), HIPAA, Sarbanes-Oxley and other industry-specific rules.

Functions are migrating from passive (sounding the alarm when something goes wrong) to active (preventing a wide range of intrusions and vulnerability exploits).

Controls are migrating from the individual, with each security function operating as an island, to the centralized, with access control and policy-enforcement frameworks linked to one another and to the remainder of the network infrastructure.

As the concept of network perimeter loses its meaning, the most important method you can use to safeguard your network in 2005 is multilayer protection. Regardless of the specific piece of network protection taking most of your attention this year, you should plan for it to be one of many layers of security, rather than a global network-protection cure-all.

The good news is that most of these developments encourage the network to take a more active role in its own defense, while giving you, the administrator, more centralized control, more finely calibrated responses, and more information about what’s going on with attacks and reactions.

The bad news is that the promises are based on sometimes-competing new alliances and standards.

Betting on the wrong alliance or standard could leave you changing directions (and components) mid-migration–a consideration that takes on greater weight as security components are increasingly integrated into the core network infrastructure.

Intrusion detection systems–the primary source of warnings that attacks are under way–are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files.

Schemes such as Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP) have, among many other capabilities, IDS and firewalls sharing some of the features of an IPS (intrusion prevention system), with the IDS feeding control information to a central authority, which then gives instruction to the firewall for connection reset and address blocking.

As a piece of a multilayer security approach, an IPS can join the IDS, enterprise firewall, desktop firewall and application firewall to protect your key network assets. For some, the blocking of even one piece of legitimate traffic is unacceptable.

As an incremental tool that can help cut down on the volume of attack traffic, intrusion prevention from vendors including Check Point Software, Internet Security Systems, Lucid Security, Radware and Tipping Point should be seriously explored in 2005.

The various governmental regulations, including HIPAA and GLB, make it business-critical for a company to protect customer and patient data from any theft or intrusions, and make it just as important that the company demonstrate that the protection is in place and effective.

Ask any vendor claiming to have an enterprise policy framework how many companies have partnered with them to let their products be queried and/or controlled by the central management console. The partnership issue should be more readily resolved by the industry giants that have introduced their own policy and access-control systems.

Both Cisco Systems with its NAC and Microsoft with NAP are building network-control frameworks on the basis of technology and products that are in the field, though neither company expects to have production deployments before the middle of the year.

At the same time, agencies and organizations have begun the work of building standards–the National Institute for Standards and Testing published ANSI INCITS 359-2004 (for role-based access control) in February 2004, and other organizations have committees beginning to look at the requirements for standards.

SSO across a global enterprise and all its myriad applications isn’t going to happen in 2005 and probably won’t happen in 2006.

“Thumb drives,” small USB storage devices, have replaced floppy disks as the portable storage medium of choice for mobile professionals carrying presentations, software updates or small applications from office to office.

Moving bandwidth shaping, access control and command communications to other components in response to intrusion incidents to the basic infrastructure makes sense, and will continue at an increasing pace in 2005. The last point for 2005 doesn’t involve a specific product or technology, but encapsulates all the changes already discussed.

http://www.networkcomputing.com/story/singlePageFormat.jhtml;jsessionid=W0EE0KMQETN10QSNDBGCKH0CJUMEKJVN?articleID=55800066