CyberSecurity Institute – Page 334 – Security News Curated from across the world

EU and U.S. Diverge on Antitrust Law

Posted on December 22, 2004December 30, 2021 by admini

By forcing Microsoft to play by European rules and comply with court orders, such as the ruling that forces Microsoft to strip Media Player from Windows in Europe, the European Commission may hope to set a precedent for controlling corporations with a firm hand.

Robert Badal, a partner in the Los Angeles office of Heller Ehrman White & McAuliffe, and who specializes in intellectual property law, believes the ruling illustrates a growing gap between the approaches of the EU and the U.S. to intellectual property.

Judge Bo Vesterdorf’s decision not to grant Microsoft a stay from the penalties while it appeals the European Commission’s antitrust penalties, he said, illustrates that the EU is quick to conclude that a company should be compelled to share its intellectual property with competitors. “This will have a chilling effect on innovators,” he said, adding that there is a direct correlation between the amount of innovation a company produces and the risk of being forced to share those innovations with competitors.

Directions on Microsoft analyst Matt Rosoff said, “What Microsoft doesn’t want is a legal precedent under which a government agency can tell Microsoft what it can and can’t put into Windows.

The European Court of First Instance refused to relieve Microsoft from complying with the judgment levied by antitrust regulators, thereby enforcing penalties that go much further than what the U.S. Department of Justice imposed in an antitrust settlement.

On the other hand, if the penalties had been suspended, by the time the appeal process ended, the EU’s order to sever the media player from the operating system might have been moot.

“Microsoft was asking the court to take a huge leap of faith pending outcome of final decision,” said Andre Bywater, an attorney in the Brussels office of Eversheds, LLP. He said that in domestic cases in both the UK and France, it’s extremely difficult to persuade courts to suspend judgments.

CompTIA, a computer industry trade association of which Microsoft is a member, said the ruling would have negative consequences for the IT industry and consumers.

http://www.internetnews.com/ent-news/article.php/3451271

How ITIL Can Improve Information Security

Posted on December 22, 2004December 30, 2021 by admini

ITIL can be applied across almost every type of IT environment. Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL – aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support – the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly.

Configuration Management: Best practices for controlling production configurations (for example, standardization, status monitoring, asset identification). Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services. These practices ensure that normal service is restored as quickly as possible after an incident occurs. These practices seek to proactively prevent incidents and problems.

Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.

Financial Management: Best practices for understanding and managing the cost of providing IT services (for example, budgeting, IT accounting, charging). These practices ensure that IT services are maintained and improved through a cycle of agreeing, monitoring, reporting, and reviewing IT services.

There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk’s most important responsibilities are monitoring incidents and communicating with users. The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved.

Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization.

With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate.

http://www.securityfocus.com/infocus/1815

Cisco reveals security blunder

Posted on December 20, 2004December 30, 2021 by admini

The company issued an advisory on its Web site, warning customers of the vulnerability that affects the Cisco Unity unified communications software package versions two, three and four.

It also warned of a similar problem on Cisco Guard, a tool that helps protect companies from denial-of-service attacks.

Cisco Unity is a unified communications software package that allows users to listen to email over the telephone or check voice messages from the Internet. When integrated with a third-party fax server, it can even forward faxes to any local fax machine. The problem with Cisco Unity is that it creates certain user accounts with default passwords when integrated with Microsoft’s Exchange program. If the password isn’t changed when Unity is installed, outside users could log on and read incoming and outgoing email messages. They could also gain access to certain administrative functions.

Cisco has posted a solution on its Web site. The simplest fix is to change the default passwords on the accounts. The accounts with default passwords that should be changed can be found on the Web site.

In October, Cisco announced several security upgrades for its unified communications products. Specifically, it offered higher security on voice messages.

Cisco also warned about a vulnerability on Cisco Guard, an application to counter denial-of-service attacks. Like the Cisco Unity product, Cisco Guard comes with default usernames and passwords. The problem can be fixed by changing these settings.

Denial-of-service attacks occur when a network is flooded with so many packets that switches, routers and servers stop processing them and continuously reboot. The Cisco Guard product detects traffic anomalies and then diverts this traffic to protect the server that was targeted in the attack.

http://news.zdnet.co.uk/internet/security/0,39020375,39181665,00.htm

What’s Ahead For Identity Management in 2005

Posted on December 20, 2004December 30, 2021 by admini

But new challenges are emerging: the rise in fraud and identity theft, the increasing consumer demand for privacy protections, and the drive by companies to partner with other businesses to interconnect their online services. The pressures behind these new market forces are welling, and attention to will start to fundamentally shift the direction of the identity management market in 2005.

Compliance initiatives occupy center stage in IT and security projects. From Sarbanes-Oxley and the USA PATRIOT Act to HIPAA and Visa Account Information Security Standards, a common aspect of these regulations’ security and privacy components is the establishment of proper authentication practices and the appropriate assignment of privileges.

Developing, enforcing, and auditing authentication and access control policies is a core element of compliance projects. While businesses are still able to absorb the direct losses, consumers are altering their behavior, curbing their online purchasing and use of online banking services.

Whoever is accessing your systems, be it employees on your LAN or Wi-Fi network, partners on your extranet, or customers on your commerce sites, simple passwords no longer suffice as a reliable means of authentication. Businesses continue to build out and interconnect Internet-based services.

Provisioning directly addresses key compliance concerns around documentation, enforcement, and auditing of security controls. The primary value of provisioning has shifted from the ROI around self-service password reset and IT efficiency improvements to the policy enforcement and auditability around role-based access controls and centralized process management. Provisioning has eclipsed Web single sign-on in terms of both visibility and import.

HIPAA and Sarbanes-Oxley are driving organizations to adopt strong authentication technologies like smart cards and biometrics, or simply to strengthen their password policies.

E-SSO solutions have matured greatly and are deservedly getting a new look after a long period of neglect. This spans technologies as broad as Web services security, Trusted Computing, RFID deployments, and smart homes. This will manifest first in the realm of authentication and account protection, then in the realm of authorization and data protection

Identity federation moves out of the test lab.

Identity management will evolve towards a well-recognized layer of the computing stack, and vendors will develop broad portfolios of integrated components. Not only is it being rediscovered by end user organizations, but also big vendors will step up and acquire independent solutions after a long period of loose partnership activity.

http://www.csoonline.com/analyst/report3172.html

Microsoft Alters Hotmail Security Trend

Posted on December 20, 2004December 30, 2021 by admini

Under the agreement, the Tokyo-based anti-virus and security software company will provide Hotmail’s 187 million users with protection whenever they send and receive e-mail attachments. The software will scan in real-time for the latest viruses, Trojans and worms, according to Punit Minocha, senior director of business development at Trend Micro.

The move by Redmond was seen in some corners as a blow to Santa Clara-based security firm McAfee (Quote, Chart), a Trend Micro competitor, who had provided the bulk of virus security to Hotmail users since 2000.

The move has had nearly polar effects on both software security vendors’ stock prices.

http://www.internetnews.com/security/article.php/3450321

Cisco to buy security start-up

Posted on December 20, 2004December 30, 2021 by admini

The deal is expected to close by Jan. 29, the end of Cisco’s fiscal 2005 second quarter.

Cisco has focused on adding security capabilities to its product line for more than a year now. Last year, the company unveiled its Network Admission Control (NAC) program, a security architecture that combines virus scanning with network policing to keep attacks from entering the network in the first place.

From the beginning, Cisco has relied on acquisitions to assemble the pieces necessary to make the architecture a reality. In fact, the critical “trust agent” software in the NAC architecture that sits on users’ PCs and communicates with the Cisco policy server came from its acquisition in 2003 of Okena. Cisco is still pulling together the necessary pieces.

In October, the company bought Perfigo, a start-up that develops network access control products.

In March, it announced it was buying Twingo, which makes technology for Secure Sockets Layer virtual private networks. The technology is being incorporated into Cisco’s WebVPN product.

Cisco says it’s confident that Protego’s technology will fit nicely into its portfolio. “The acquisition of Protego further emphasizes Cisco’s commitment to network security, and (Protego’s) leadership in security monitoring, threat management and mitigation complements our ongoing work in security,” Richard Palmer, vice president in Cisco’s Security Technology Group, said in a statement.

One of the biggest problems network managers face is making sense of all the security warnings and alerts they get when an attack is detected. Protego has developed software that aggregates these alerts and security threat notices. But the company’s PN-MARS product takes security event management a step further. The software is designed to be aware of network topology. As a result, it can trace attacks through the network and send out new security rules on the fly to firewalls, Ethernet switches or IP routers to kill the attack.

Several other companies also sell products that aggregate security warnings and alerts. Some of these products, from companies such as NetForensics, ArcSight and Network Intelligence, also support remediation capabilities.

It’s easy to see how Protego’s technology complements Cisco’s existing product portfolio. In fact, the two companies have already been working together. Protego is currently a member of Cisco’s AVVID partner program, and the companies have been working together to sell security products to customers.

There are other ties among the two companies. Partha Bhattacharya, CTO of Protego, was architect and technical lead for several of Cisco’s security products, including Cisco’s firewalls, IP routers, virtual private network gear and intrusion detection devices.

http://news.zdnet.com/2100-1009_22-5498272.html?part=rss&tag=feed&subj=zdnet