Category: Uncategorized

Lawrence Orans, a principal research analyst, and John Pescatore, vice president and research fellow, told attendees at the Gartner IT Security Summit in Washington, D.C., not to fear going ahead with projects that use voice over IP technology, Virtual Private Networks over the Internet and wireless hot spots. The computer-security experts also advised their audience not to waste time or money on products they don’t need to meet federal regulations and protect against malware on mobile devices.

The men debunked five popular security myths:

* Eavesdropping risks makes VOIP telephony too insecure to use. Industry and the media overhype the danger of eavesdropping because it is as easy to eavesdrop on voice packets in a network as on data packets, Orans said. Companies that follow best practices to protect their data should have no trouble protecting their Internet telephony operations”.

* Malware on mobile devices will cause major business disruptions in the near future. The hype about antivirus products to protect cell phones and PDAs has been around since 2001, Pescatore said. But he said he predicted that viruses and other malware used against wireless mobile devices won’t cost more than antivirus protections against them until the end of 2007 at the earliest. More Americans need to use smart phones and PDAs with always-on wireless capability, Pescatore said. Additionally, mobile malware attacks won’t become a real threat until the users of these wireless items commonly send locally executed software”, he said.

* Viruses will not destroy the Internet. Named after Andy Warhol’s “15 minutes of fame” quip, a Warhol worm infects all vulnerable computers on the Internet within 15 minutes, Orans said.

* Compliance with government regulations equals security. The increased federal regulation prompted by Sarbanes-Oxley and similar legislation does not automatically lead to more security.

* Wireless hot spots are unsafe. The threat of “evil twins” setting up rogue access points to fool unsuspecting Internet users into thinking they are on real sites and then divulging confidential information is a red herring.

http://www.fcw.com/article89119-06-07-05-Web

Shredders themselves come in two basic varieties, strip-cut and crosscut.

A strip-cut shredder cuts the paper into strips ranging from a quarter-inch to a half-inch wide. Strip-cut machines are more popular because they are usually less expensive, tend to be quite durable and generally shred faster than crosscut models.

With crosscut shredders, documents are cut in two directions, producing very small particles. Rather than cutting paper into strips, crosscut shredders reduce it to smaller particles—resembling rectangular confetti and measuring approximately one-quarter inch by 1.5 inches—and provide much more security than strip-cut machines. Because the particles are so small, they are self-compacting, reducing overall bulk.

Cody Ford, president and CEO of Houston-based ChurchStreet Technology Inc., had observed the Enron Corp. financial meltdown when he was working at Enron as an IT consultant. ChurchStreet’s proprietary Strip-Shred Reconstruction and Cross-Shred Reconstruction suites enable companies to have their shredded documents reconstructed. With the exception of work done for government intelligence agencies, all client document reconstruction is done on ChurchStreet premises with ChurchStreet’s equipment.

The process basically works this way: Once ChurchStreet technicians receive document shreds from a client, they determine whether the original document can be salvaged. With a crosscut reconstruction, it is much more important that the collection bag be as undisturbed as possible, given the amount of shredded data.

Companies that blindly shredded documents in the past must now take a much more formal—and thoughtful—approach to what they want to shred and how they want to shred it. In 2005, nothing is simple in security, especially shredding a piece of paper.

http://www.eweek.com/article2/0,1759,1830203,00.asp?kc=EWRSS03119TX1K0000594

Analysts project 2005 compliance related IT spending in the range from $1.5 billion to $5 billion. Early indications are that for many companies the cost of compliance is eroding profit margins. No one can predict what the impact of meeting SOX compliance requirements will be.

A new method for addressing SOX compliance needs is required; one that integrates into the existing infrastructure while providing new levels of control and visibility that will make the IT component of compliance continuous and ongoing. Compliance is driving innovation, and much of the innovation is focused on the role of identity and the ability to monitor and control interactions by identity.

A driving concept of section 404 of SOX is effectiveness of internal controls. Manual processes are expensive, recurring, and prone to errors, exposing risk and depleting resources required to roll out new business initiatives. Most, however, acknowledge that these measures are incomplete and realize that they’ll be back at it again. The most important component of compliance concerns the management of risk. Risk management addresses how a company protects its operational and financial well-being.

The deployment of so many IT infrastructure solutions has led to a nearly unmanageable collection of products, connections, skills and knowledge gaps that increase risk while compromising and limiting the ability to roll out new services. Many organizations are trying to address this requirement. Unfortunately, it’s nearly impossible to analyze this amount data if one tries to collect everything.

The problem is that SOX expects organizations to take an aggregated look at their IT environment, and the related business processes. In preparing to meet SOX regulations, organizations should be able to answer the following questions confidently: Can you clearly state who all your users are, their access? Do you have audit trails for users, assets and applications? Do you have verifiable evidence? Did you took appropriate action when a policy infraction occurred, and how fast can you provide this information? A company that can’t answer these questions affirmatively should consider a new method.

With the adoption of identity management (IdM) and user provisioning solutions, the role of identity is clearly becoming central to managing users’ interactions. Two types of automated controls — identity auditing and identity control — dramatically drive down manual IT audit activity while reducing critical areas that can be compromised. In such an environment identity extends beyond users to include assets, applications, transactions and data. Injecting identity at the network layer provides IT organizations with the knowledge of who is accessing what assets from where, both within and across enterprise boundaries. It uses this visibility to protect critical assets and ensure compliance, as well as the reporting to prove it, resulting in the simultaneous reduction of cost and risk. Such pervasive identity becomes the foundation for identity auditing and control by providing full visibility into the business transactions and establishing unequivocal proof of authorized actions and the response and control of unauthorized, illegal behavior.

Automation ultimately requires the ability to inject identity and track its activity and transactions across an enterprise and beyond, and to integrate this ability with existing IT infrastructure. It helps not only to enable successful compliance, but also to control the ongoing costs of maintaining compliance. And, as we continue to witness merger and acquisition activity in the IdM space, new and innovative identity-focused companies and technologies are emerging whose products are rapidly maturing through deployment experience.

http://www.ebcvg.com/articles.php?id=767

As dismal as your prospects may seem when you’re staring at an anemic budget, all is not lost. The magazine asked a group of security officers from several industries to share their advice on how to make business executives acknowledge security risks–and loosen the purse strings.

Sometimes you have to twist arms to get what you want. Or at least that’s the belief held by the director of security at a $5 billion manufacturing giant we’ll call “Company X.” The security officer, who asked not to be identified, has business-unit managers sign “risk-acceptance sheets” if they balk at covering vulnerabilities the officer identifies in their departments. If data is violated or uptime disrupted, the unit manager has already taken responsibility in writing. Of course, not every security chief has that kind of bargaining power. But getting funds for security initiatives is an expertise security pros must master to be successful. It is, after all, much better to procure funds in advance than to wait until after a security incident. Their secrets to success vary, but according to security experts two things remain constant: They demonstrate security technology in the context of regulatory priorities and construct pro-deployment cases that largely circumvent conventional ROI considerations.

Regulations
Unfortunately, many organizations don’t take the time to make risk assessments rationally when choosing security deployments, says Fred Cohen, principal analyst at the Burton Group. Instead, an increasingly stringent regulatory environment drives most security decisions. Security IT is learning to get funds by linking security expenditures to regulatory imperatives, such as Sarbanes-Oxley compliance, Cohen says.

Use regulatory changes to point out opportunities for increasing security in other areas of the business. If possible, use tangible evidence to prove a security risk. Use layman’s terms, and don’t inundate them with information. Follow the examples set by successful non-IT managers who consistently get their expenses approved. Have your requests coincide with a fortuitous time of the fiscal year to increase the odds that funds will be available.

A little networking with the people who hold the purse strings can help your cause.

Compliance concerns are leverage for security chiefs even in low-margin businesses. Solectron, an $11.6 billion company that provides electronics manufacturing services on a contract basis, must assure its clients that it has adequate disaster-recovery and other controls, which can have implications for the clients’ Sarbanes-Oxley compliance requirements.

Dennis Kavanaugh, Solectron’s director of architecture and risk management, says regulatory pressure has given him a bit more autonomy. He seizes opportunities to demonstrate how he can improve security whenever he’s discussing compliance controls with his CFO. Risks that haven’t actually materialized often will be pushed to the background in deference to some other regulatory mandate, Kavanaugh says. But he has success when he proposes smart spending without becoming overly aggressive. “Don’t be a kid in a candy shop, but take the opportunity to make practical, rational decisions,” Kavanaugh says. “You make the regulatory push, you tie it to the business, you maybe show some soft returns.”

Security technology doesn’t necessarily fit the conventional ROI models that support other IT investments. When return is quantifiable, it often involves lengthy research on factors, including how much time individual employees spend performing specific activities, and tying labor costs back to security tools, says Mike Griffin, SVP and director of information technology at PlainsCapital Bank. Such awkward quantifiers require security supervisors to get buy-in through strategies and skills unrelated to ROI.

Even ROSI (return on security investment) determinations produce only hypothetical numbers in case of an attack or other security violation. Such calculations look at current risk levels, quantify the cost of data loss or system downtime and build arguments for improving defenses based on those numbers.

Privately held PlainsCapital must comply with the GLBA (Gramm-Leach-Bliley Act), which requires provisions for protecting consumers’ personal financial information. The bank uses intrusion-protection technology, a virus-scanning system on its e-mail server and a spam filter for catching viruses. But for two years Griffin couldn’t secure funding for content-filtering technology to detect spyware. Things changed when a high-level PlainsCapital executive received an unsolicited fax that included a link to a pornographic Web site. When the executive realized anyone at the bank could access such sites from work, Griffin got $20,000 to buy content-management software from BlueCoat Systems.

“You want to be able to say, ‘Here’s your weakness, and here’s your proof,’ ” Griffin says. If PlainsCapital hadn’t been able to report which employees were accessing which Web sites and could be affected by spyware, it could have exposed itself to GLBA violations and penalties without knowing it. Griffin tries to make things simple when attempting to convince executives of the bank’s security risks. For instance, he’s effectively used simple graphs to show the volume of incoming spam, instead of delivering a broad-based report.

When it comes to making presentations to non-IT executives, directness and brevity are keys to success, says Margarita Muratova, who manages database security as SQL Server administrator for Canadian accounting firm RSM Richter. Muratova recommends presenting two or three product options with a broad price range and limiting all proposals to one or two pages.

Business executives tend to be very “siloed” in their knowledge, says the director of security at Company X. As a result, they often have difficulty understanding the interdependencies between business processes and IT. Few people can fully grasp the relationship among physical security tools, how they’re configured and what they protect. “You shouldn’t have to build a watch to tell time,” the security director says. He creates a “risk meter” by boiling risk assessments down to three levels: the business unit affected; the application software in question; and the platform, such as NT or Unix. “Demonstrating ROI will usually be impossible,” he says.

Foundstone’s vulnerability-management software scores the risk factor of enterprise systems by examining their position on the network, business function and known threats.

Risk Management
Other security pros advocate a thorough risk-assessment picture. Davi Ottenheimer, director of information security at boating supplies retailer West Marine, tries to link assets analytically with threats and present that information to business managers in the context of helping them perform their jobs better.

Vulnerability is an inexact metric, but it can comprise exposure to known viruses and how widely data can be accessed by personnel. “You want to help them do their jobs well.”

RSM Richter’s Muratova also stresses the importance of timing technology requests to coincide with a fortuitous time of the fiscal year, including both quarterly and annual budget-planning cycles. She recently wanted to expand the deployment to include a module that would give her a better view of which employees are selecting individual data records, but decided to hold off on pitching the module to her CFO and accounting partner committee until the fiscal year rolled around, freeing up a little more money.

http://www.securitypipeline.com/163105337

The ten tips, below, from C&C are intended to help organisations help themselves, use VoIP to improve the effectiveness of making their business critical information more accessible, yet secure.

1. Know your voice traffic
2. Know your data network
3. Logically separate voice from data
4. Use Quality of service (QoS) within a network
5. Security is as critical for voice as it is for data
6. Look to open standards
7. Examine the platform architecture of a VoIP/IPT platform
8. Adopt a modular solutions architecture
9. Converge data and network principals into one
10. Look for a roadmap with forward vision

http://www.ebcvg.com/articles.php?id=742

The correct answer to the question “where is my network vulnerable to attack?” To some extent, that’s the nature of the Internet beast; if you have a door open to the world, then it’s inevitable that someone will try to open it up. And there’s a good chance that they’re not doing it just to say hello.

Dan Ingevalson, the director of professional security services at Internet Security Systems, says that enterprises have gotten better at managing security vulnerabilities, but the increasing complexity of networks and network-borne applications make perfect protection impossible. “There is always going to be some level of complexity in a network that will create a network security vulnerability,” he says.

Having said that, some open doors are bigger and more common than others. A big part of maintaining network security, says Mark Curphey, senior director of consulting at Foundstone Services, a division of McAfee Inc., is knowing where these vulnerabilities are, and knowing how to plug them up.

Network edge devices: Though well-publicized, worms and viruses continue to be a common and, to some extent, under-appreciated network threat says Yankee Group senior analyst Jim Slaby. “We haven’t seen a really big, really pervasive worm like Blaster or Slammer in some time, but they are waiting in the wings,” he says. “It’s not that people are complacent, but the problem with worms is that they’re zero-day exploits. Signature defenses only work against things that you’ve seen before, or someone has seen before you, and they proliferate quickly.”

Although the high-profile worms of the last years have trained network security personnel to respond quickly and apply patches diligently, penetration tests still find perimeter holes — big, gaping holes, according to Curphey. “You see border routers with their admin interfaces open, so people can manage them from home,” he notes.

One company left a particularly flagrant open door to its networked printers, despite locking down every other process with a virtual private network (VPN). “The reasoning was that people could print without having to deal with the VPN,” Curphey says. “But the networked printers had IP addresses, making them a convenient and undefended jumping off point to the whole network.”

Web servers and Web applications: The Web is usually the meeting point between the enterprise and the outside world, and it is here that many organizations leave themselves vulnerable. With Web servers sitting off the firewall in a demilitarized zone (DMZ), they can often be the ideal gateways to internal company processes, according to Curphey. “Web servers without patches and passwords are frighteningly common,” he says. “It’s a lack of process, more than anything else. Organizations push these things out and someone forgets to update the software.”

According to Ingevalson, three-quarters of hacker attacks are on Web servers, since “that’s what’s out there.” This is particularly dangerous with the proliferation of Web applications. “Attacks have typically moved up into the application layer, and that’s one of the hardest things to protect against because there’s no one-size fits all solution.

Unprotected mobile and off-site endpoints: Even with the edge devices and Web servers locked up, one of the most common oversights is the vulnerabilities that organizations bring inside their networks.

Wireless networks: None of this is helped by the increasing prevalence of wireless networks. You just have to wander the streets of a big city like New York, opening your laptop in parks and cafes, to see how many unsecured wireless networks there are.

Voice over IP: For all of the potential points of attack on enterprise networks, it’s sobering to think that the technological push for Voice over IP [VoIP] has added one more. And it’s a vulnerability whose scale we haven’t even begun to consider.

http://www.networkingpipeline.com/163700201