Category: Uncategorized

However, security is a complex issue, where many remedies are required for different aspects, so such a simplistic view may not be enough to look at when selling our security wares. Some industry participants complain about increased competition as a factor in depressing their security sales.

However, let’s take a quick look at a typical large European country as a “market” for example Germany or the UK. This reveals that there will be, on average, ten firms providing Managed Security Services (MSS), with the biggest firm holding about a 20% market share.

Then there is another way: proving security ROI. In the security industry, however, every vendor seems to have one, which is slightly different from other vendors’ and which ‘proves’ that buying that vendor’s product or service makes the best economic sense. For example, I’m sure we’ve all seen the statistics stating that having someone else to manage your company’s firewalls is a 400% ROI over one year, when compared to managing them in house. Whenever we are confronted with such figures, there are several things we need to ask: How many firewalls do these figures refer to?

How many clients participated in the survey, how many vendors? Many ROI calculations adopt a simplistic and/or simplified view of the underlying costs. From a client perspective, a lot of energy is usually spent debating whether security is best kept ‘in house’ and delivered by client’s own personnel (or built by internal efforts), or is it better to outsource or buy ‘off the shelf’. Because security is essentially a trust issue, the natural inclination is to keep it in house, shrouded in secrecy.

From an economic perspective, there will be security tasks which are more efficiently carried out by an outsourcer (e.g. managing firewalls or IDS), and some which are more suited for in house delivery (e.g. fraud and incident investigations), if skills exist in-house. A good provider will remind the client that they always retain the full responsibility for their organization’s security posture, even if some security tasks have been ‘delegated’ to hands and brains outside the firm. Economics also plays a part in everyday decisions taken by individuals (employees) when it comes to doing the “right security thing.”

The answer is making security a business enabler and with a relatively low compliance cost. The main idea we need to tell our clients is that security can be a business enabler and not just an “IT cost,” Let’s stop viewing information security through the prism of fear and start to quantify it and, more generally, technology risks and threats in economic terms.

At the end of the day, buying decisions are made by business people and not necessarily by technologists, so security investment decisions must make business sense in order to be adopted. We need to articulate the economics angle whenever we buy or sell security.

The economic benefit of complying with the security policy will accrue to both you and your organization. Then, you can concentrate on doing what you do best, knowing you’ve done “your bit” to keep your information safe.

http://www.net-security.org/article.php?id=1062&p=1

Stick it somewhere in your environment where it’s likely to get noticed by an intruder, and tell it to page your incident response team (or you) if anything unexpected tries to connect to it. It’s a fake computer asset, and nothing (once you’ve fine-tuned the false positives out) should ever connect to it.

Months and months go by without any significant updates, but this month has seen a cornucopia of new developments and updates. New honeypot book Niels Provos (creator of Honeyd and senior staff engineer at Google) and Thorsten Holz have written an excellent honeypot book in “Virtual Honeypots: From Botnet Tracking to Intrusion Detection.” As a seasoned honeypot and honeyclient professional (and honeypot book author), he had high hopes for this book — and it delivers. The only downsides he could even come up with is that the book deals with a lot of Unix/Linux-only products, just like the honeypot software world, which might be a put-off for Windows-only readers.

In the end, what he really liked about this book is its coverage of a wide range of products and its practical application to capturing and analyzing malware.

Updated Honeyd for Windows Honeyd, originally a Unix/Linux-only product by Niels Provos, is one of the best virtual honeypot software programs in existence. Michael Davis did the original Honeyd port to Windows (thank you very much, Michael), but that version didn’t keep up as Windows XP and later came out. Jesper Jurcenoks, co-founder of netVigilance, has released an updated version of Honeyd for Windows. It works on all Win32 systems, including Vista, and comes with the ability to exclude predefined types of activity (which is a must when you’re doing real-time file and registry analysis).

The New Zealand Honeypot Project, which produced Capture-HPC, also wrote an excellent white paper on using Capture-HPC to identify malicious Web servers.

http://www.infoworld.com/article/07/08/24/34OPsecadvise_1.html

She listed BorderWare Technologies and Sipera Systems as key providers of VOIP security tools on the infrastructure side, and Zfone’s encryption technology—which has been submitted to the IETF (Internet Engineering Task Force) as a proposed public standard—as important on the client side.

“because most of the voice-over-IP traffic is still not encrypted,” said Paul Wood, an analyst with MessageLabs, headquartered in Gloucester, England. However, he added, VOIP security threats remain largely theoretical, as hackers and cyber-thieves tend to focus their efforts on e-mail. e-mail is certainly the single biggest target for [such attackers] because it enables them to exploit this massive ecosystem,” Wood said, adding that the mix of hardware- and software-based VOIP deployments makes it harder for hackers to target systems.

It takes a mix of security tools, from session border controllers to dedicated firewalls for VOIP traffic to network and host intrusion detection/prevention systems, to secure VOIP, Fodale said. She added that the key challenge for businesses will be to integrate VOIP security into a unified security framework.

http://www.eweek.com/article2/0%2C1759%2C2175285%2C00.asp

To lock down a large Web services network involving multiple enterprises, everyone must agree on technologies, even security policies: There’s no use demanding that your employees use biometrics and physical tokens if a partner’s staff accesses the system with weak passwords.

Before buying the elements of SOA security, do your homework, because the market is in flux. On balance, the movement we’re seeing is good news for IT because it means more choices and potentially fewer vendors to deal with. But it also makes buying decisions a lot more complex.

For example, Web services exposed to the Internet need XML firewalls, also known as SOA security gateways. However, this product category is disappearing thanks to ongoing SOA consolidation.

Meanwhile, with XML firewall functionality rolled into everything from management platforms to core switches, what kind of product to use–even basic decisions such as whether to use hardware or software–will depend on the scale and predicted growth of each enterprise’s Web services, as well as any existing SOA infrastructure.

Decisions around encryption and authentication are harder, as they don’t depend on a single organization. Everyone in a Web services extranet needs to be using the same technologies, and right now, there are several competing standards. The biggest conflict is over identity management, the complex exercise of ensuring that a user or process logged on to one company’s systems is authorized to use those of a partner. The first, SAML (Security Assertion Markup Language), is supported by almost everyone–except Microsoft. Redmond prefers the newer WS-Federation, which is more tightly bound to other Web services standards. Although both use XML, the two are incompatible, meaning enterprises with public Web services must either support both or ensure that all their business partners using secure Web services choose the same standard.

To help, Oasis (Organization for the Advancement of Structured Information Standards) created WS-Security, a standard for applying XML Security and XML Encryption in Web services. Its main weakness is that, like all the WS-* standards, WS-Security requires SOAP–anyone doing business with Web services running REST (Representational State Transfer, a way of describing XML Web services that don’t use SOAP) need not apply.

Though WS-Security helps encrypt and sign SOAP messages, it doesn’t say anything about AAA (authentication, authorization, and accounting) or security policies. The exception is federated identity, where the relatively new WS-Federation and WS-Trust are competing with SAML 2.0, an established standard also published by Oasis. The main practical difference is that SAML uses XML Encryption and XML Signature directly, meaning it can work with REST, whereas WS-Federation requires SOAP. SAML also has a large installed base, though this may not count for much because Microsoft has thrown its weight behind WS-Federation and said it will not support SAML.

Unlike some other standards battles, this isn’t simply a case of Microsoft vs. everyone else.

On the public Internet, firewalls were one of the earliest drivers for Web services. Although different organizations have different security policies, almost all need to keep Port 80 open, so vendors and standards bodies gravitated toward text-based protocols that run over HTTP. And, for the same reason, so did attackers and malware. As a result, companies publishing Web services to the Internet have traditionally used application security gateways, appliances that can read and understand application-layer documents, filtering out potential attacks. The deep-packet inspection and understanding of XML required to recognize attacks also makes security gateways useful for XML transformation and routing, and often better at it than management software, thanks to specialized SSL or XML acceleration hardware. The other independent security gateway vendors–Layer 7, Vordel, and Xtradyne–are moving in the opposite direction, toward software and virtualization. Vordel and Xtradyne have always distributed their gateways as software, intended to be installed on dedicated blade servers.

http://www.informationweek.com/news/showArticle.jhtml;jsessionid=AWX5VKJHPYNXCQSNDLRSKH0CJUNN2JVN?articleID=201201384

Chris Farrow, director of the center for policy and compliance for Configuresoft, says the creation of a security benchmark for virtual machines began last year.

Some large financial firms were retooling their data centers with virtualization, and they urged CIS to consider addressing virtual machine security as well.

“We found that no one was building a best-practices [model] for securing the virtual infrastructure,” says Farrow, who works with the CIS, which is made up of vendors, universities, consultants, government agencies, and enterprises.

Configuresoft is among the organizations working on the security benchmark, which will include benchmarks for specific virtualization software, including VMware’s ESX Server, Microsoft’s Virtual Server, and Xen Virtual Machine. To prevent malicious activity from a “guest” virtual operating system, for instance, the benchmark recommends disabling the copy-and-paste operations between the guest OS and the remote console, says Joel Kirch, information assurance programs manager for WBB Consulting and a member of the CIS team working on the virtualization benchmark.

http://www.darkreading.com/document.asp?doc_id=130189&WT.svl=news2_1

When asked this, many independent observers – former CSOs or consultants working with CSOs – offer a different perspective. They think security pros need to worry more about retaining the best staff and should be careful not to become too consumed with regulatory compliance.

What has security pros worried?Michael Barrett, CISO at eBay money-transfer service PayPal, says there is always an undercurrent of panic in the event that something blows up. “Most datacenters are held together by sheer heroic effort,” he says. Because PayPal is a global company, Barrett says he worries whether the company has the right interpretation on legislation and regulation related to data privacy around the world and the right controls in place. His long-range concerns have him asking questions such as: In terms of stopping criminals and attackers, do we have the right investment mix and the right set of projects?

Adam Hansen, the IT security chief at Sonnenschein Nath & Rosenthal in Chicago, says his main worry is data privacy and the possibility of a data breach. The creative content, whether pre- or post-production, is held in film canisters and digitally on servers, and Technicolor guards it through tight physical and IT security.

Risk management can sound like a “Mission: Impossible” episode in large organizations with many lines of business, tens of thousands of employees, and lots of applications and networks to keep an eye on.

“I’m always on call,” says Jalal Zamanali, senior vice president of IT and CISO at Temple-Inland in Austin, Texas, and its subsidiary Guaranty Financial Services, with combined interests in corrugated packaging, forestry, real estate, and financial services. Although he has a security staff of 17 to stay abreast of IT projects, Zamanali says his top concern is making sure security controls are on track in terms of regulatory compliance rules related to the SOX (Sarbanes-Oxley) and Gramm-Leach-Bliley laws. “The chief audit officer has to translate these laws into control points,” Zamanali explains. Consequently, Zamanali – who reports to the chief risk officer – makes sure he meets with the chief audit officer about once a week to discuss compliance issues.

Beth Cannon, CSO at merchant bank Thomas Weisel Partners in San Francisco, says audits to provide evidence that security policies are enforced in IT systems and processes are her main worry.

What CSOs should be worrying aboutConsultants and other industry experts don’t dismiss the issues that CSOs and CISOs are worrying about, though they recommend a host of things that might warrant even more of security professionals’ attention. CSOs should worry about losing their jobs because all too often their stance on security is seen by upper management as overly technical or a bad fit, says Jon Gossels, president and CEO of consultancy SystemExperts in Boston.

Brad Johnson, vice president at SystemExperts, say one key worry that CSOs should have is where and how they’re going to find and retain the best security-savvy employees.

Zeitler, whose 30-year career included positions as CISO at Volkswagen Credit and head of security at Charles Schwab and Fidelity Investments, says a top concern for CSOs should be whether they can find personnel with the right skills at the right price. He points to computer forensics, which requires people trained in procedures to capture potential evidence and preserve it appropriately, as an example.

What to do about compliance Howard Schmidt, the former security chief at eBay and Microsoft and former White House cybersecurity advisor, says there’s no doubt that regulatory-compliance issues are going to be a top worry for the CSO or CISO.

http://www.infoworld.com/article/07/07/24/security-standard-01_1.html