Category: Uncategorized

“A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined,” Litan said in an accompanying statement.

Litan recommended encryption as the first step enterprises and government agencies should take to protect customer/citizen data.

http://www.darkreading.com/document.asp?doc_id=96671&WT.svl=cmpnews1_2

Remediation costs, such as a credit monitoring service which Fidelity offered each customer to allow them to monitor that no fraud is taking place, can add up to several million more dollars. And the loss of some percentage of its angry customers, perhaps as much as 20% of its clients, will add even more to the total cost of the data breach. It is also likely that Fidelity will ultimately be assessed fines/penalties from government agencies, resulting in total monetary loss to Fidelity from this one data breach in excess of $10M. “Then you add on the cost of the personal credit watchdog services that companies often provide users who are victimized, plus the potential loss of business from the negative publicity, and the total loss to the company grows rapidly,” he said. And the loss of some key business information can also be a violation of the new business regulations, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA).

Gold suggested that companies need to take a series of steps to mitigate the risk both on laptops and smaller mobile devices:
1. Educate users
2. Password protection is set to “on”
3. Mobile management system
4. Determine which files can and cannot be downloaded
5. Encryption
6. Enforce connection/VPN security standards
7. Require active firewall protection and virus protection
8. Enable device lockdown and “kill” functions
9. Log device

The good news is that at least partial solutions for common BlackBerry, Windows Mobile and Palm OS handhelds are available on the market today.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000996&source=rss_topic17

The type of work the offshore group is contracted to do will influence how you extend your network. If the offshore group only needs to check code in and out, a full VPN would be overkill. Most major code repositories have built-in Web interfaces and username/password protection. Your network only needs to be extended to allow the front-end Web piece to access the back-end code repository. Using the popular Concurrent Versions System (CVS) as an example, there are several free, commercial-grade Web front-ends available. By setting up a publicly available Web site, using Secure Sockets Layer and relying on the built-in username/password protection in CVS, all that is required is a public IP address and fully qualified domain name. This is a simple solution that will let you sleep at night and play an uninterrupted round of golf on the weekend.

It also applies to offshore work that doesn’t require live access to your internal systems. Building on the above concepts will work for any access requirements that don’t involve live, real-time access to systems. If the business requirements are more involved than simple code check-in and check-out, then put the clubs aside.

What are the services the offshore workforce will need to consume that are hosted on your local network, such as Web services, database services or Network File System services? It might seem like more work than necessary to grant access to these systems at such a granular level. But by only exposing the application ports and hosts that are required for the specific job, you prevent any other traffic coming from the offshore network into yours, regardless if the traffic is hostile or not. Depending on the size of the offshore workforce, there are two common methods normally used to accomplish this — implementing a LAN-to-LAN VPN tunnel or client-based VPN access. A LAN-to-LAN VPN tunnel is a secure connection between two otherwise separate networks. A VPN endpoint can be a router, firewall, Windows server, Linux system or a dedicated VPN concentrator — anything that can encrypt and decrypt packets at an acceptable speed.

At this point, you have selected an offshore business partner, gathered a list of resources and purchased a VPN endpoint device. Name resolution, routing, latency and IP address conflicts all have the potential to keep you off the golf course. For an offshore workforce that has its own internal DNS servers, name resolution for the resources/hosts that I identified earlier can be an issue. A DNS zone transfer can be done between your DNS servers and the local DNS servers inside of the offshore group’s network, or you can create alias records on your public-facing DNS for these hosts. This filters traffic after it comes out of the VPN tunnel and before it reaches any part of your local network. You need to inject this network into your routing process or use static routes on the systems that the offshore group will access.

All the traffic that will come through the VPN will traverse the firewall. There are devices that will perform the VPN piece, NAT translation and stateful inspection all in one, but I have found these devices very hard to troubleshoot when using all of the above functions and not very good at controlling access to perform different functions.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000983&source=rss_topic17

Unfortunately, purchasing and deploying a full range of best-of-breed security solutions can be daunting for small-mid sized businesses that typically have only have a fraction of the resources and budgets of larger enterprises. These customers are typically willing to sacrifice best-in-class security, performance and features for simplicity, ease-of-use, and low price. To better serve this segment of the market where simplicity and low cost are top priorities, Unified Threat Management (UTM) products have emerged.

UTM is the evolution of the traditional Firewall into a Swiss Army product that not only includes a firewall but also content inspection and filtering, spam filtering, intrusion detection and anti-virus. The biggest value with UTM platforms is simplicity and lower price given its “all-in-one” footprint. While UTM solutions provide significant benefits, especially for SMBs, the design of many UTM appliances on the market today is a compromise of performance, functionality, price and simplicity.

Performance: The practical performance of a UTM appliance is often not obvious from reading the appliance specifications, since they typically depict just the performance of the firewall with the other security applications disabled or providing minimal functionality. The anti-virus performance of a UTM is typically limited to a small set of in-the-wild viruses, supported by a limited virus signature database. When simultaneously running another scanning application such as anti-spyware, UTMs will become less accurate as the scanning coverage is scaled down in an attempt to maintain speed throughput, or a combination of reduced accuracy and lower speed.

Scalability: With limited throughput and system performance, first-generation UTMs are expected to quickly run out of horsepower to keep up with the broadband speeds enterprises are demanding. Additionally, since many security platforms today utilize signature-based technologies, being able to flexibly reconfigure the platform and update the signature databases, in response to new variants and threats, has become essential. Utilizing a high-performance acceleration engine that can be easily integrated into an existing appliance and operate in conjunction with the appliance’s core CPU/NPU, UTM performance can be accelerated by as much as 70X.

Designed to accelerate bottleneck operations associated with supporting multiple simultaneous applications, high-speed packet process and content inspection, a security acceleration engine can provides CPU/NPU offload and ensure multiple application support with full content coverage and accuracy while maintaining throughout performance.

http://www.it-observer.com/articles/1151/utm_preparing_new_generation_security_threats/

Access to Public Web/E-mail: Vulnerability #1
Over 90 percent of business executives who responded to Bluefire’s survey are using their device for email, either for a web-based account or for a corporate server-based account. An attack can be anything from a hacker at Starbucks who is accessing the data on someone else’s device, to someone using Bluetooth to steal personal information from another person’s handheld. “Trojans” can be defined by something posing as something other than itself. For example, a “Trojan” can be an application that can open a port that should not be opened, allowing outsiders access to the device. Firewalls set rules for the device that designate which ports are allowing traffic into the device. A firewall can keep certain attacks out by blocking the ports that would allow those viruses in. Using Bluetooth requires the devices to be within 30 feet of each other while IR control requires the devices to point at each other from closer than 30 feet.

Some mobile security software controls can be used to keep wireless connections turned off. While most device owners are not using IPSec VPNs for personal communications, they should at least insist on secure web-based connections using SSL encrypted communications. Integrity Manager is an application that monitors the settings on each device and will quarantine the device if the settings change. Anti-virus with automatic updates also keeps your smartphone protected by providing an up to date list of all known viruses from which the software can scrub emails and attachments, just like on your notebook or desktop.

Access to Corporate Email, Networks, Databases: Vulnerability #2
Smartphones and wireless devices are often used to gain access to the enterprise server for e-mail, shared files, and shared databases. Yet as with other wireless networking options, this also leaves the device open to attacks, viruses, or “Trojans”, and ultimately makes the network vulnerable as an unsecured device connecting to a secure server makes that connection unsecured.

Mobile Security Solution: Vulnerability #3
Mobile security features for protecting lost or stolen devices. Bluefire has seen an increasing number of government and enterprise customers requesting that Bluetooth and IR be temporarily or permanently blocked from use. If a device is lost or stolen, the private information becomes open and accessible.

http://www.blackberrytoday.com/articles/2006/6/2006-6-1-Mobile-Device-Security.html

A year ago, network-based IPS was all the rage, whereas HIPS had an estimated 1% market-penetration rate, according to Gartner Inc. in Stamford, Conn. But new attack routes into the enterprise — such as the recent Windows Metafile (WMF) vulnerability — have forced IT organizations to rethink their tactics. In a recent Forrester survey of 150 enterprise technology decision-makers, 28% of respondents said they plan to purchase desktop HIPS during the course of the year, says Lambert.

Alaska, however, is ahead of the game. It is most of the way through an implementation of Cisco Security Agent (CSA) from Cisco Systems Inc. Along with the 19,000 desktops — primarily Windows-based ones, with a few Linux and Macintosh systems — CSA also protects about 2,000 servers across dozens of data centers. Software like CSA watches for behavior that would indicate spyware activity, such as a program opening a file in a temporary folder.

Software like CSA watches for behavior that would indicate spyware activity, but that is by no means the only way such tools operate. Most include several functions: In addition to host intrusion prevention, they can incorporate adware protection, protection against buffer-overflow attacks, firewalling, various forms of system hardening, malicious mobile-code protection and even signature-based modules.

Proventia Desktop from Internet Security Systems Inc. (ISS) in Atlanta is used on about 2,500 seats campuswide, most of which are student laptops — 95% run Microsoft Windows XP and the rest are Macintoshes.

“Some colleges have attempted to dictate to their students, but you really can’t control what they put on their laptops,” says Hammon.

Unlike virus signatures, though, they need to be delivered only about once a month. Instead of constantly scanning and analyzing every system call and application as CSA does, its SpyWall software zeroes in on the primary avenue of attack – via Web browser. For example, SpyWall blocked the latest Internet Explorer createText-Range zero-day exploit without using any signatures. “After we put in SpyWall, we didn’t get any more infections for six months,” says Robert Wong, network administrator.

First came enterprise-class anti-virus tools and then firewalls, IDS and spyware protection. But with each advance, attackers managed to outwit the defenses. Antivirus and spyware technology now appear to be morphing into back-line defenses, which are used to mop up employee goofs and safeguard against known threats.

That’s why the likes of Symantec Corp., CA Inc. and Cisco are gobbling up desktop HIPS vendors: Symantec bought ManHunt, ISS acquired BlackICE, Cisco bought Okena, and CA now owns Tiny Software Inc.

The next major release of CA Integrated Threat Management will include a firewall and HIPS.