Category: Uncategorized

“PCI has driven a good ecosystem in the log management space, so the back-end technology is there,” says Gunnar Peterson, contributing analyst for Securosis and managing partner of Arctec Group.

The trick is figuring out the right technologies to act as the sensors feeding data into that SIEM system and developing a sound means of implementation. Peterson says technologies such as Web application firewalls and XML security gateways should play a more prominent role in application-layer activity that has thus far been difficult for many organizations to track. “Those can play a pretty important role because they are outside of the application so the security teams don’t have to necessarily get involved with the application build process as much,” he says. “But at the same time to support something that’s going to be useful you have to be down at the message data level.”

As for best practices, Peterson says it varies by industry — but he has some suggestions for any organization to get started.

You can’t count on port numbers to identify applications. As House points out, applications such as BitTorrent and Skype hide in HTTP traffic specifically to elude security controls. “A monitoring solution that just classifies traffic on port 80 as HTTP is potentially exposing the organization to infected content online, especially pirated software and media files with embedded malware,” he warns.

Peterson says organizations need to leverage standards, such as CEE, which is being pushed by Mitre, or XDAS, which the OpenGroup is supporting, to help the front-end monitoring solutions “talk” with the back-end log management systems and enable you to fine-tune the data that makes it into the hands of the incident response team. “To mitigate this threat, an application monitoring solution needs to be able to identify and control both the content and the applications that are part of social networking sites,” he says. “Developers and security architects should spend time with those incident response teams just as if they were your business user — because, in fact, they are your business user — and interview them,” he says.

http://www.darkreading.com/security_monitoring/security/management/showArticle.jhtml?articleID=227701138

Traditionally, security technology companies and computer users have taken a defensive posture, putting the cyber equivalent of body armor on computers, networks and in the cloud. The report’s authors say it is now time to avoid enemy strikes altogether by taking a more aggressive stance, aligning forces and involving law enforcement.

“As we look at the evolution of risky domains and websites over multiple years, we can’t avoid the conclusion that the risk keeps increasing in both volume and sophistication,” said David Marcus, director of security research and communications for McAfee Labs.

Use hacker techniques: Data loss is accelerating at an alarming rate, as there were 222 million records lost in 2009 in the United States alone.

Provide data to help prosecute cybercriminals: A major component for combating spam lies in the hands of ICANN (the Internet Corporation for Assigned Names and Numbers), as it accredits the registrants that sell the domains which cybercriminals use to host malicious sites.

An offensive security practice should involve the entire security industry while incorporating methods that have proven successful. This includes educating those fighting cybercrime “on the streets” to have the latest in malware techniques, bringing tools to the mass population to help identify risky behavior, pointing users to the right contacts to report crimes, and helping to build education and awareness at the kindergarten level through higher education.

http://www.net-security.org/secworld.php?id=9713&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

The decision to abandon email encryption projects in most cases was probably taken many years ago when those overheads became apparent. Since then, not only have the regulatory and legislative landscapes changed considerably (DPA, FSA, SOX et al), but so has the technology.

http://www.cio.co.uk/opinion/ferguson/2010/05/27/email-encryption-must-be-prioritised/

Without a reward, “You are not providing any incentive for the managed security service provider to detect breaches,” says Asunur Cezar, the paper’s lead author and an instructor at the Middle East Technical University in Ankara, Turkey. “It may be penalized after some investigation, but that does not necessarily act as an incentive.”

The research also found that, when penalties are limited in some way, the second variant — using one MSSP for monitoring and another for detection — provides better security. The researchers pointed to court cases that limit penalties against service providers, concluding that such real-world limits mean having one provider essentially audit the other leads to the best performance.

The results of the study could be interesting academically, but they might not translate well to real-world MSSP contracts, says John Pescatore, vice president of analyst firm Gartner. In the real world, service firms are providing a specific function, not blanket protection, so it is usually difficult to penalize the companies for a breach. “The contract is to manage your firewalls or manage your firewalls, intrusion detection system, and antiviral — they are not saying, ‘Sign up with us, and we will protect you against all breaches,'” Pescatore says.

http://www.darkreading.com/securityservices/security/management/showArticle.jhtml?articleID=225200295&cid=RSSfeed

When Lauer arrived at the agency, he had a list of more than 20 noncompliance items from Federal Information Security Management Act audits.

Now when users log on to the MCC network, they are greeted by a Tip of the Day awareness training application, which asks a question about IT security. Besides giving managers an easy way to assess the agency’s training program, the daily quizzes have also made employees more mindful of security.

“We’ve had a tremendous reduction in viruses,” Lauer said. “Instead of clicking on things, [users] call the help desk. They never used to do that before.”

But not every agency can report such success. Indeed, experts say the goals of user training efforts are still a long way from being realized. “There is a gap, and the gap is costly because it undermines all the technology being thrown at security problems,” said Keith Rhodes, senior vice president and chief technology officer at QinetiQ North America’s Mission Solutions Group. “No approach to training is infallible because human beings are fallible, and of course, human fallibility is what training tries to counter,” Rhodes said.

Four out of five federal IT managers said they provide ongoing classes on security policies and procedures. But even then, almost half had seen employees post passwords in public places, violating one of the most fundamental security proscriptions. The survey highlights one of the hardest tasks in IT security: changing user behavior. For instance, firewalls won’t prevent an employee from stowing passwords under a mouse pad or engaging in other careless practices.

Security managers and industry consultants say there are a few basic techniques for evaluating the effectiveness of IT security training and improving the odds that the lessons will sink in. At MCC, new employees receive IT awareness training as part of their orientation, and the security tip of the day provides ongoing reinforcement. MCC officials keep tabs on employees’ security awareness by tracking responses to those daily quizzes via a monthly performance report.

Organizations with multiple locations always face a tough challenge when it comes to developing and measuring the success of training programs. The state is 18 months into a four-year initiative that will meld the IT operations of 16 executive branch agencies under the statewide Office of IT. “To get metrics to prove that end-user security is working, you’ve got to be in a consolidated environment,” said Seth Kulakow, Colorado’s chief information security officer. Consolidation will provide the consistency required to gather the correct metrics, he added.

Barr recommends that agencies use internal IT security employees to conduct quarterly vulnerability assessments and external experts for annual vulnerability assessments.

Elsewhere, Colorado’s Kulakow has recommended making an employee’s adherence to security policy part of his or her performance evaluation.

Content filtering and data loss prevention are among the products agencies can use to counteract human nature, said Keshun Morgan, a networking and security specialist at CDW-G.

Tip no. 1: Make employee testing simple and routine
Tip no. 2: Check what they do, not just what they know
Tip no. 3: Put security in personal terms
Tip no. 4: Invoke consequences for misbehavior
Tip no. 5: Always remember the limits of training

http://fcw.com/articles/2010/01/25/feat-cybersecurity-training-a-must.aspx

No. 1 Game-Changing Force: ‘Black Swan’ Events As Nassim Nicholas Taleb explained in his 2007 book of the same name, the term “black swan” refers to an event that is high-impact, hard to predict and rare.
Black swans need not be negative (as in the case of 9/11) and can present times of great opportunity, but CSOs rightfully spend their time worrying about the former scenario. When it comes to the supply chain, black swan events can include everything from disastrous weather to global pandemic to terrorist attacks.

The problem is, if you prepare for the worry du jour, you may leave yourself exposed on other fronts. Warned that a large-scale outbreak of Asian bird flu would put supply chains at risk, global businesses braced for the worst. Executives discussed how the supply chain might be affected if the flu broke out in China. Their plans rested on transporting and storing materials in other places around the world. Then, early this year, H1N1 flu broke out in Mexico and spread quickly to unexpected regions like Australia.

“Companies had to immediately reassess their plans because they were based on specific scenarios,” says Adam Sager, senior manager of business continuity consulting at Control Risks, a security consulting firm in Washington. “Companies realized they needed to better prepare for unexpected events and increase their knowledge of how their organizations could be impacted. If something is emerging on a global basis, they need to act before it affects their supply chain,” says Sager.

When a crisis hits—no matter where on the globe—you need to be able to understand and assess the situation using firsthand country- and location-specific information, says Sager. And you need bi­directional communication between crisis managers and the locale where the event is occurring. Sager notes that companies are discovering gaps between their crisis plans and their operations. “They had security management and crisis management plans in place, but the missing link was integrating them with the business so people around the world could understand management’s position regarding critical things such as uptime, issue resolution and who’s responsible,” he says. This type of information is often not conveyed to the field in advance, a crucial error. Management needs to empower local decision-makers in advance to take action quickly to mitigate damage if certain conditions are met.

The plans have to address not just key supply chain nodes and specific scenarios that could occur, but also emerging security vulnerabilities. “That is a different mind-set and way of planning,” Sager says. “The security department has to come together with the operational/financial side of the business,” looking at all aspects of the supply chain, including where the different components are located and alternative sourcing arrangements. Sager puts his clients through tabletop testing, in which executives sit in a conference room and go through a scenario point by point with the key decision-makers, reviewing how they would respond.

Marc Siegel, commissioner for the ASIS International Global Standards Initiative, is leading the charge to develop an ISO standard for supply chain resilience. ASIS has already published SPC.1, its first organizational resilience standard, which it expects will be ready by the end of the year. “We think standards are the answer for dealing with [black swans],” Siegel says. “Companies have to develop a comprehensive [supply chain resilience] strategy because their resources are limited… This allows you to look at the full picture, rather than just separate out the different things.”

Organizations need to approach risk from a holistic standpoint, Siegel adds. “The problem with the risk du jour is that the likelihood of it happening varies so greatly between organizations that it can divert your attention away from doing a comprehensive risk assessment.” In short, it can make you take your eye off the ball.

No. 2 Game-Changing Force: The Rise of Malware Information security matters also weigh on CSOs’ minds, though they are not as visibly related to the supply chain as physical security is. An organization (and therefore its supply chain) can be brought low by an attack on its information network as surely as it can be hurt by an attack on its cargo. Many CSOs say they are worried about botnets; two of the most pressing threats related to botnets are spam/phishing attacks on employees and the possibility of a resurgence in the denial-of-service (DoS) attacks that first appeared 10 or more years ago. Ed Amoroso, CISO of AT&T, blames rampant technological complexity for the rise in malware. “The primary root cause for almost everything we deal with—commercial customers and everything—is complexity. The computers and networks that people set up and use have become way too complicated,” says Amoroso. “DoS used to be about large-volume traffic hitting your network,” says Lee, an officer for the National Incident Response Team and assistant vice president at the Federal Reserve Bank of New York. Rena Mears, a partner in security and privacy services for Deloitte & Touche, believes the malware supply chain is itself approaching maturity. Lee, for one, does not believe that network service providers can adequately protect against the threats posed by new-breed malware. Many CSOs expect the associated threat pool to continue to widen.

Although the economy is forecast to improve slowly in the coming year or two, many experts expect the reshaped landscape will not necessarily signal a return to prosperity for all, or even most, of society.

This is certainly true in the food/beverage/agribusiness industry, due to the obvious importance of maintaining a food supply that’s safe from contamination, whether malicious or innocent.

http://www.csoonline.com/article/510943/Supply_Chain_Security_Threats_5_Game_Changing_Forces