Category: Uncategorized

As a result companies are adopting a more strategic approach as they recognise that contingency to guarantee a robust and reliable IT infrastructure is critical. This is because they have neglected to make long-term plans which take into account the speed at which technology develops and changing market forces. Businesses are finding themselves locked into vendor relationships that fail to offer cost-efficient solutions for the long-term management of escalating volumes of data.

It is important to recognise that an effective managed business function is achieved through assessment, planning, execution and evolution. Through the adoption of a long-term strategy and the effective forward planning of data management, an enterprise can make more efficient use of existing capacity and have greater control over the movement and location of data.

For example, as it’s been estimated that approximately 65% of online data is rarely accessed, businesses should look to free up online resources for more core business applications.

The effective management and control of a comprehensive back-up solution is critical to minimising business risk, but companies are failing to make thorough disaster recovery plans or are adopting inefficient processes. It is vital in the current corporate environment, to ensure that a partner has a reliable support infrastructure, suitably skilled personnel and can guarantee levels of service. Failure to meet any of these critical elements will threaten the success of a managed services approach.

As standards become more defined and universally accepted, the rush to storage attached to the network is bound to accelerate.

http://www.ebcvg.com/articles.php?id=865

Despite the headlines, the conferences and the stated objectives of many large public and private organizations, many executives still wrestle with how to effectively deploy security measures that protect critical information assets underpinning their mission critical operations.   It is the position of this White Paper that the challenges many organizations face in markedly reducing the risk posture of their organizations stem from a tactical understanding of risk and vulnerability assessment, perimeter security, threat remediation including anti-spyware, patch management and other critical security activities.

Today, many organizations still treat each of these activities in a distinct and discrete manner, making it difficult to get a big picture understanding of their risk posture, inhibiting their ability to respond appropriately and cost-effectively to threats.

According to analysts at IDC, worldwide spending on information technology will grow at 6 percent a year through 2008 to reach 1.2 trillion dollars, up from 965 Billion in 2004.  That increase in spending is an explicit recognition of the role IT plays in helping organizations to achieve their strategic business objectives.  However, it also represents a growing target of opportunity for those who wish to exploit our growing dependence on technology.   This helps explain why in the United States alone the market for information security will grow at 19 percent a year through 2008, according to recent data from the Freedonia Group.

That is more than three times the rate of the global IT spend.

According to the Freedonia analysts, much of this growth will be driven by efforts to integrate security on an enterprise-wide basis.  It would seem that people are voting with their wallets, and acknowledging that security is indeed a strategic issue.

But is there truly a broad strategic recognition of security’s strategic imperative?  In the summer of 2004, a survey by the Conference Board revealed that almost 40 percent of respondents consider security an overhead activity that must be minimized.

The situation appears no better in the public sector.  Agencies in the federal government continue to struggle with meeting the requirements of Federal Information Security Management Act (FISMA).   In early 2005, the Government Accounting Office (GAO), the investigative arm of Congress, concluded that poor information sharing and management was responsible for exposing homeland security to unacceptable levels of unnecessary risk.The problem illustrated by the above points is not one of effort or discipline.

Millions of dollars are invested on security technology and hundreds of thousands of man hours are brought to bear on protecting critical information assets by IT and security personnel.

The problem, rather, is one of perspective.  In both cases, security measures appear to be treated as stand-alone activities that are divorced from the technologies, business processes and information assets they are meant to protect.

Security, in short, is treated by many organizations as an afterthought.   According to PatchLink CEO Sean Moshir, “One of the greatest threats to enterprises today is that many — too many — organizations still consider security the lock they put on the door after the house gets built.”  Blind, in the sense that is difficult to get a clear, complete and accurate picture of an organization’s security posture.It is also costly.

According to recent research from Yankee Group, it can cost as much as $1 million to manually deploy a single patch in a 1,000-node network environment.  The firm has documented an instance in which an organization spent $2 million to rush a patch in a telecommunications network that had 500,000 nodes.  It is the manual labor, the fixing of problems, the downtime for businesses while the patches are being deployed,” explains Phebe Waterfield, Senior Analyst, Security Practice, Yankee Group.

Waterfield confirms that many organizations remain highly reactive in their approach to patch management, and therefore have not developed automated and integrated strategies for making sure that the most current measures are in place within the enterprise to deal with known threats to their IT assets.  This contributes to a reactive and expensive approach to security that does not make progress toward the goal of reducing an organization’s risk posture.

Malicious hackers, authors of viruses and other sources of threats have become a major cost of doing business in the digital economy.  Their handiwork is now covered by the mainstream media as well as the business and technology press.  Their destructive impact on the economy is measured in the billions — if not trillions — of dollars.

We are seeing the rise of hybrid threats in which viruses are used as launching points for initiatives that are designed to gather sensitive corporate data and/or execute identity theft.  For instance, spam is being used for phishing (an online con in which a “fake” site is set up to attract victims and solicit sensitive information from end-users), at which point spyware/malware or viruses are planted on consumer computers, while simultaneously gathering information that makes it easier to hack into the networks of the organizations they are spoofing.

Where once the hacker community may have been seen as kids playing games, today we see malicious activity that is profit driven in some cases, and guided by fanaticism in others,” notes Moshir.

According to PatchLink’s Moshir, an effective strategic response to these threats must consist of four basic elements.  The data gathered by sensors and reporting tools should be presented in ways that are meaningful to the users who must make decisions based on that information.  And the data must be standardized so that information from one security system makes sense to the rest of the organization.Moshir emphatically states, “From a management standpoint, there must clarity and transparency within and between all security systems.

Lane is the founder and director of Cooper Research Associates.

http://www.net-security.org/article.php?id=814

Problem: Organizational Roadblocks Most organizations view the CISO not as a security and risk manager, but as a manager of security assets, like firewalls, intrusion detection/prevention systems, and incident response capabilities.

According to the 2004 CSO Security Sensor Survey, 38% of respondents place the CISO in the IT chain of command, reporting to the CIO, whose primary responsibility is to maintain the availability of information systems. This placement hinders the CISO’s effectiveness and limits his or her ability to implement change, for a couple of reasons. Security’s message doesn’t reach senior business leadership.

When the CISO reports to the CIO, a primacy is established. Operational responsibilities take priority over strategic planning. Particularly when threats may cause business disruption, tactical issues take precedence over longer-term planning. It is easier to buy and implement firewalls and intrusion detection systems than to develop security policies and implement a sound awareness program.

Without long-term planning, the organization will remain trapped in the patch-and-pray scenario.

“Ideally, the institution should separate the information security program management from the daily security duties required in IT operations. The senior information security officer should be an ‘enterprise’ risk manager rather than a production resource devoted to IT operations. To ensure independence, the information security officer should report directly to the board or senior management rather than through the IT department” (FFIEC Information Technology Examination Handbook).

Firms who take this approach will realize new benefits from their CISOs. IT-independent CISOs can frame security in terms of business issues rather than IT projects.

A traditional security manager’s explanation of the recent ChoicePoint fraud case might sound like this: “The server’s verification and authentication processes for the client Web portal were ineffective, thereby facilitating fraudulent access to sensitive back-end systems and personally identifiable data.” When framed in terms of business issues: “The trust model used by ChoicePoint failed in such a way as to compromise the company’s most vital assets.”

A trust model establishes the standards by which an organization determines who to trust with its assets.

Organizations have several options as to how to reposition the CISO. They can combine information security with physical security and elevate the senior security officer to CSO, reporting directly to the CEO. The CSO Security Sensor Survey indicates that 34% of its respondents have implemented this change, up 15% from the previous year. By combining physical and cyber security under one executive, the organization gains a holistic view of potential threats and the associated vulnerabilities.

Elevating the chief security executive to CRO-chief risk officer-makes sense in medium to small enterprises where key executives often assume multiple roles. The benefit in this approach is that the CRO considers areas of risk beyond those dealt with by a CSO or CISO.

A second compelling reason for many CISOs’ lack of success is their inability to establish a credible economic basis for security investments and to assess information security relative to business initiatives. Much has been said about return on security investment (ROSI) and security metrics. At first glance, metrics seem to be the Yellow Brick Road to the boardroom. However, the CSO Security Sensor Survey reported that 34% of respondents did not use ROSI and had no intention to do so. The problem with ROSI is that its components are too subjective. Right now, there is no standard, statistically valid method of measuring ROSI. Some CISOs are using “homemade” formulas to calculate ROSI, but without sound standards and appropriate rigor, these calculations are not worth the time it takes to create them.

Solution: Use a Standard, Valid, Reliable Metric Be cautious of traditional security metrics, such as “total number of incidents reported.” When you add more firewalls, the number of incidents reported goes up, not down. Associative-Based upon a best practice or security model that enables comparison within the organization, within the industry, or across industries. One way to achieve an associative metric is to use ISO-17799 as the template for your security program. ISO-17799 is a comprehensive set of controls utilizing the best practices in information security.

http://www.securityinfowatch.com/print/Security-Technology-and-Design/Homeland-Security/Repositioning-the-CISO/4789SIW2

As they review their process, further refinements with more specific company data will enable a clear view of the costs to the IT organization.

As they create IT security compliance strategies and identify their potential impact to productivity and tangible costs, new data can be used to provide a calculation of the financial benefits of implementing security that closely reflects actual financial impact.

This enables organizations to create “what if” scenarios and to validate potential compliance strategies by creating a snapshot of the potential benefits associated with each one.

The Compliance IT Security Cost/Benefit Calculator shows the cost savings associated with productivity gains in security management, compliance management, and mitigating security risks with a long term view. “This Compliance IT Security Cost/Benefit Calculator contains tangible and intangible benefits to provide an assessment of the potential return on IT security compliance spending. The results are completely private and organizations can come back to the calculator as often as needed to update and fine-tune their requirements and planning.”

http://www.apani.com/calculator
http://www.ebcvg.com/articles.php?id=809

NetContinuum has created the checklist in order to help IT managers focus and prioritize the needs of IT management by identifying 27 distinct operations, covering both traffic delivery and security inspection including enforcement operations that are potentially applied to every transaction hitting a website.

“The Secure Application Delivery Checklist offers guidance to help them understand all the steps in the HTTP transaction lifecycle required to fully secure and manage application traffic and determine the product that best fits their needs,” Mr. Abrams added.

http://www.ebcvg.com/articles.php?id=808

A zombie is a computer that has been compromised by attackers, typically for the purpose of sending spam e-mail and viruses to literally millions of recipients. Once installed on the victim’s computer, the Trojan allows a remote hacker to take control of the machine and use it for any of a number of nefarious purposes.

In fact, today’s hackers (the “zombie masters”) have become so sophisticated that they have begun creating coordinated networks of zombie computers that can launch a full-scale attack at a moment’s notice. This traffic can include: Spam, Phishing scams, Viruses, Distributed Denial of Service attacks, Redirects to websites containing malicious code.

Zombies can be created in several ways, including via peer-to-peer networks and maliciously encoded websites. However, the most popular method for distributing the Trojans that create zombies is via an e-mail attachment masquerading as an innocent file, such as a digital photo or contest entry form.

The first generation of zombies was made up mostly of corporate-based machines such as Web, e-mail, or DNS servers. Because these machines were on high-speed networks, they provided an ideal platform from which damaging attacks could be launched. Because these machines were on high-speed networks, they provided an ideal platform from which damaging attacks could be launched.

However, corporate systems have become increasingly secure and more tightly monitored, making them less attractive to hackers. Now, the hackers have turned to the next set of victims, vulnerable home computer users. These computers are easy targets, as home users often lack the Internet savvy necessary to adequately protect their machines with firewalls and up-to-date anti-virus protection; many will also willingly open email attachments from unknown senders, enticed by the promise of easy money or cheap prescriptions.

In addition, the widespread availability of always-on, high-speed home connections using cable and DSL has made the home user an obvious target for zombie masters. In fact, this alone is the single largest contributing factor to recent escalations in spam, phishing attacks and Distributed Denial of Service (DDoS) attacks.

When the attacks involve distribution of viruses via spam techniques, the stakes are raised even higher. The costs of a DDoS attack can be crippling to today’s enterprise, resulting in lost sales during downtime and recovery, and more importantly, loss of trust from partners and customers should the attack become public information.

Taking into consideration that each zombie involved in a recent DDoS attack launched 64 connection attempts per second against the targeted corporation, it’s easy to see how even the most robust systems can wilt under the massive load inflicted upon them.

Some basic tenets of security should be followed at all times, whether you want to protect your enterprise network from spam, viruses and DDoS attacks spewed forth by zombie networks, or protect your home computer from joining the ranks of the undead. The best-of-breed appliances available offer both inbound and outbound protection via an objective, dynamic reputation system, connection management technology and robust anti-virus capabilities.

The best-of-breed appliances available offer both inbound and outbound protection via an objective, dynamic reputation system, connection management technology and robust anti-virus capabilities.

http://www.ebcvg.com/articles.php?id=796