Category: Uncategorized

“We started seeing huge vulnerabilities,” Borg said Wednesday at the GovSec conference in Washington, where the draft document was released. Most of the systems were compliant with current security checklists and best practices. “And portions of those systems were extraordinarily secure. But they were Maginot Lines,” susceptible to being outflanked. The problem is that existing best practices are static lists based on outdated data. “We are way into diminishing returns on our investments in perimeter defense,” he said. “To deal with it now, you have to think of the problem of cybersecurity not from a technical standpoint, but by focusing on what the systems do, what you could do with them and what … the consequences [would] be.”

The list is based on real-world experience and on economic analysis of breaches. Surprisingly, the researchers found that simply shutting a system down is not the biggest threat in most areas of critical infrastructure. “Shutting things down for two or three days is not that costly,” Borg said. The larger threat is disruption of systems in ways that are not immediately evident.

“All of the things we are talking about are already under way,” Borg said, but some of the items in the checklist have no cost-effective commercial solutions. Borg said he hopes industry will step up to the plate to create solutions, and that government will adapt its acquisition policies to create incentives for these developments.

Borg said there is no schedule for final DHS approval of the draft. Additional information about the checklist is available from Borg at mailto:scott.borg@usccu.us.

http://www.gcn.com/online/vol1_no1/40564-1.html

Essentially, the process works by tricking e-mail recipients into going to phony Web sites to divulge personal data, like bank-account numbers or credit-card information.

Identity thieves also use technical subterfuge through spyware and Trojans to capture user names and passwords so they can gain access to consumers’ financial details.

http://www.cio-today.com/story.xhtml?story_id=42950&page=1

They can be simple credentials such as usernames and passwords, or more complex forms such as PKI based X509 certificates or claims based assertions in SAML tokens. To be really useful in today’s identity infrastructures an identity device must be more than a secure store of static credentials. It must also be able to generate cryptographic keys, perform digital signature operations, parse request messages and emit security tokens in standard formats. One doesn’t normally associate these operations with USB storage.

In fact, digital identity functions are very different from mass storage, but that doesn’t mean that they cannot exist on the same device, just as digital cameras now exist on cell phones. After all, digital identity devices already exist in other form factors such as smart cards and yes, USB key fobs.

Portability has been the Achilles’ heel of smart cards and USB tokens.

Even when you have deployed a smart card solution with all of the required components and middleware, you’ll probably find that the solution won’t work with another brand of smart card without swapping in new middleware components. The U.S. Government has addressed these interoperability challenges by developing GSC-IS (Government Smart Card Interoperability Specification) so that they can deploy smart cards to federal employees without being tied to one smart card or middleware provider.

This opens up a whole new set of possibilities for security operations as much more data can be sent and retrieved than what was previously possible on devices such as smart cards. The widespread native support and high bandwidth of the USB mass storage interface enables a digital identity device to be truly portable and accept high level application messages through a protocol that is as simple as reading and writing to a file.

http://www.it-observer.com/articles/1104/new_security_directions_removable_usb_devices/

Ultimately, security is everybody’s business, and only with everyone’s cooperation and consistent practices will it be achievable. Wireless security is a work in progress, so it is essential to administer a wireless network so that it becomes more and more secure. And with more organizations focusing strongly on wireless security, we can only expect to see many more secured wireless networks in the future.

http://www.onlamp.com/pub/a/security/2006/03/30/what-is-wireless-security.html

“We have to follow standards and listen to news groups. Adding encryption to prevent outsiders listening into conversations can also degrade performance.

“Providing QoS to use limited bandwidth but still encrypt data limits the ability to analyse what application is running, or decide what QoS should apply, ” said Gilad Brand, director of product management at VoIP gateway specialist Jungo.

SIP is an open standard that should help to address the security versus performance issue, but vendors’ implementations of the technology differ, so interoperability and uniform feature sets are not assured in the short term, said Slaby.

http://www.vnunet.com/2152383

It is for this reason that a choice between implementing network security in the middle of the network — in the cloud — or at the endpoints is a false dichotomy. An organization had no choice but to put its firewalls, IDSs and anti-virus software inside its own network. Security would be vastly improved if the major carriers implemented cloud-based solutions, but they’re no substitute for traditional firewalls, IDSs and IPSs.

http://www.computerworld.com.au/index.php/id;1786107200;fp;16;fpid;0