Oracle Releases Risk Hub

Posted on by admini

With this product, Oracle would be used as the consolidation point for offerings from other risk management providers.

On the operational risk side, Oracle has a dashboard product called “Internal Controls Manager” that allows drill-down access to data and events being tracked for regulatory compliance. “It’s a single place to integrate information that’s related to every one of the regulatory mandates, so that you can drill down through the same dashboard in Sarbanes-Oxley information, Basel II information, Patriot Act information, and see the relationships,” says Andrea Klein, vice president of financial services industry marketing for Oracle.

Getting a handle on enterprise risk does more than help satisfy regulatory mandates stemming from Basel II.

“In the same way that the Basel II guidelines are going to make the banks more aware of their capital position so they can manage their money more effectively, you can do that same kind of better management on each one of your corporate accounts,” she says.

http://www.banktech.com/story/news/showArticle.jhtml?articleID=53200242

Read more

Companies warned on IM dangers

Posted on by admini

A report issued on Thursday by Meta Group found that 57 percent of the people surveyed at 300 companies worldwide use IM at work for personal chitchat more often than for job-related communications.

In a nod to IM as a productivity tool, Meta found that 56 percent of employees use the applications at home for work-related activity.

“We believe that by 2008, most new employees will be assigned an IM account when they start a job, just as they are issued an email account today.” As a result of IM’s growing popularity, Tzirimis said an increasing number of companies are looking at ways to track employee use of the applications.

A recent survey released by ePolicy-AMA found that 60 percent of US companies now use software to monitor incoming and outgoing external email and that 27 percent of employers use software to track internal email between employees.

Tzirimis recommends that more companies use tools for tracking IM use, because the software potentially an even larger security threat than email, based on the sort of attacks designed to take advantage of the applications.

http://news.zdnet.co.uk/business/employment/0,39020648,39173540,00.htm

Read more

Gartner: Oracle Needs To Come Clean On Vulnerability

Posted on by admini

Gartner’s Neil MacDonald and Rich Mogull said that Oracle has declined to provide more detailed information about the vulnerabilities that spawned a patch first released in August, then re-released in October.

Although keeping mum is Oracle’s standard policy, the analysts took the company to task for not spelling out the consequences of not applying the patch, and more important, whether the vulnerabilities affect older, non-supported versions of Oracle’s Database Server, Application Server, and Enterprise Manager.

“At worst, [this means] records in every Oracle database you own could be vulnerable,” the pair wrote in an online alert posted to the Gartner Web site. It may be smart to not provide hackers information that could be used to craft exploits, but that “differs from offering information about the implications of not protecting yourself against that exploit,” the guys from Gartner wrote.

“System administrators don’t have enough information to decide which servers to prioritize or which data is most vulnerable.”

And if Oracle offered more detail about the vulnerability, customers might be able to set up defenses, such as deep-packet inspection firewalls, intrusion prevention systems, and application firewalls to protect themselves against attacks, they added.

MacDonald and Mogull recommended that enterprises using the Oracle products apply the patches to supported versions. If older editions are in use, such as 7.x or 8.0x, they advised companies to either upgrade immediately or switch to a rival database. They also urged Oracle customers to put pressure on the Redwood Shores, Calif.-based database giant.

“Ask Oracle to follow Microsoft and other leaders that disclose the details of their vulnerabilities and provide security patches freely to anyone on any supported version of their products,” they recommended.

http://www.techweb.com/wire/security/52601314

Read more

Factoids on Security

Posted on by admini

Two-thirds of users say they don’t get computer security training at work.

Infosec jobs will reach an estimated 2.1 million in 2008.

Very few companies are complying with CAN-SPAM Act.

Nearly two-thirds of enterprises use commercial spam filtering software or appliances.

One in 10 companies has not tested its disaster recovery systems in more than a year.

Congress plans to allocate $3.6 billion for first responders in 2005.

More than one-third of companies do not have an integrated, comprehensive BC/DR plan.

Coast Guard sees budget jump more than $700 million for FY 2005.

Phishing attacks grow in number, and their prey have not wised up.

E-mail archive software revenues doubled from 2003 to 2004.

Survival time for unpatched Windows PCs cut in half.

Federal IT security spending for fiscal year 2005 shows just 2 percent increase.

Although many companies measure security performance, two-thirds don’t measure ROI for risk management.

Product and financial-related messages rank as top spam categories for April.

U.S. consumers identify top five potential sources of ID theft.

Training IT staff in basic security can reduce breaches, but it’s not for everyone.

Spim (IM Spam) messages will total 1.2 billion messages in 2004.

Worms and blended threats accounted for 43 percent of Internet attack activity between July and December 2003.

Online consumers trust their employers more than any other organization.

Spam will account for more than half of all e-mail messages in 2004, costing businesses billions.

MyDoom outbreak hits specific websites, leaves rest of Net undisturbed.

Nearly one in five U.S. consumers know a victim of online credit card fraud.

Identity theft and fraud cost Americans some $437 million in 2003.

Most online consumers believe their passwords are secure, but almost half of them never change their passwords.

Identity theft and credit card theft top consumer fraud fears this holiday season.

The United States leads the world in e-commerce fraud, generating 47.8 percent of worldwide fraudulent transactions.

Nearly three in four health care companies don’t bother to justify information security spending.

Uncle Sam seeks IT workers with security clearance and basic programming skills.

More digital attacks originate from Brazil than anywhere else; so far the 2003 count stands at more than 95,000 digital attacks.

Product related e-mails account for 20 percent of all spam, but Internet related messages show biggest increase.

Business Process Management tools gain traction in the enterprise.

The FTC projects 210 million complaints reported to its identity theft clearinghouse by year-end 2003.

Businesses and consumers lose more than $50 billion to identity theft over the last five years.

A majority of U.S. companies did not have formal plans in place to handle recent blackouts in the eastern United States.

The majority of Fortune 1000 execs are better prepared than they were two years ago to recover from a disaster.

Message security market will grow to $1.1 billion by 2007.

Many PDA users keep sensitive business information on their PDAs.

More than one-third of Canadians say their personal information has been compromised online.

Web application security products and services market to hit $1.74 billion by 2007.

Global financial firms spend about 6 percent of their IT budgets on security; many have increased staff since 2001.

Corporate losses caused by spam will grow from nearly 10-fold from 2003 to 2007.

Most broadband users store confidential information on their computers but lack proper firewall protection.

Security concerns top list of barriers for online banking.

North America was the main source for global security incidents and attacks from the fourth quarter of 2002 through the first quarter of 2003.

U.S. consumers to lose $73.8 billion to identity theft.

Chinese developers see spike in security breaches.

More than half of Web shoppers want more secure payment options.

Storing data is the easy part; recovering data is another story.

Klez.E attacks have dropped over last year, but the virus remains one of the most popular.

Spam attacks increased 4 percent from February to March.

Nearly 50,000 Internet fraud incidents were reported in 2002.

Nearly one-third identity thefts lead to credit card fraud.

Just 42 percent of consumers think businesses handle personal information in a proper and confidential way.

Nearly one-third of virus attacks in February can be blamed on the Klez.E worm.

One in three companies would lose critical data or operational capability during a disaster because their recovery plans are not adequately funded.

Digital attacks against U.S., U.K. on the rise.

Less than half of companies have intrusion detection systems in place.

Many IT professionals expect military forces or terrorists to launch a large-scale cyberattack within two years.

The United States was the number-one target of hackers in 2002.

Protecting credit card information during online purchases is of concern to 92.4 percent of Web shoppers.

Damages from digital attacks total $8 billion in January.

Companies rank virus threats as top security priority for 2003.

Online auctions account for half of Internet fraud complaints.

Fridays and weekends are prime-time for hackers.

Retailers lose about 1 percent of transaction volume to credit card fraud.

Three percent of online sales will be lost because of credit card fraud.

A recent survey finds that investments in identity management technologies can pay off, but few companies are investing.

Security and business continuity a top priority for 29 percent of companies in 2003.

Most Web shoppers are concerned about their personal information being sold or stolen.

Of U.K. companies that allow remote access to company networks, 52 percent are worried about security problems.

More than 40 percent of companies spend 5 percent or more of their IT budget on security.

Internet attacks against public and private organizations jumped 28 percent from January to June 2002.

One in every 24 e-mail received by U.K. retailers contains a virus.

The vulnerability scanning and assessment market will thrive as CIOs seek security help outside the organization.

More government websites are posting privacy and security policies.

Just 30 percent of Canadian CEOs think their security measures are effective.

More than 80 percent of U.S. security professionals fear hacker attacks on their networks.

Nearly one-third of companies say they don’t have adequate plans for combatting cyberterrorism.

IT professionals fear a cyberattack by terrorists within two years.

Roughly 180,000 Internet-based attacks hit U.S. businesses in first half of 2002.

Nearly all consumers say disclosure is important for e-commerce websites.

Most online consumers are willing to trade personal info for rewards.

More than 49,000 complaints of Internet fraud filed in 2001.

Nearly 75 percent of U.S. websites have a privacy policy.

New markets push spending on corporate protection.

Chief security officers who report to the CFO make twice as much as those who report to the CIO.

Most (64%) people don’t pay attention to privacy policies.

More than two-thirds of e-retailers are taking extra precautions against fraud this year.

Reports on inside security breaches up 7 percentage points over 2000.

Many companies aren’t prepared for dealing with disruption.

Most marketing companies have a CPO; nearly half use consultants.

Employers look to employee Internet monitoring to stem liability and security issues.

Companies spend $140 million per year worldwide to monitor employee Internet, e-mail use.

Consumers say they are 12 times more likely to be defrauded online than offline.

Just 16 percent of managers and IT staffers surveyed said that their companies were members of an industry consortium that addressed privacy issues.

The secure content delivery market will reach $2 billion by 2005.

Security breaches occur at 85% of U.S. businesses and government organizations.

Increased awareness means that European and U.S. firms will boost security spending.

How much depends on what companies are willing to risk.

Increased awareness means that European and U.S. firms will boost security spending.

How much depends on what companies are willing to risk.

Spending on security will grow from $8.7 billion to $30.3 billion worldwide.

Consumers want companies to ask permission before taking personal data.

http://www.csoonline.com/metrics/index.cfm

Read more

Banks brace for cashpoint attack

Posted on by admini

This fall the Global ATM Security Alliance (GASA) published what it says are the first international cyber security guidelines specifically tailored to cash machines. Experts see new dangers as legacy ATMs running OS/2 give way to modern terminals built on Microsoft Windows.

“The recommendations presented in this manual are essentially designed to provide a common sense approach to the rapidly changing threat model that the introduction to the ATM channel of the Windows XP and other common use operating systems, as well as the TCP/IP network protocol suite, has created,” said the manual’s author, Ian Simpson, in a statement.

The move comes one year after the Nachi worm compromised Windows-based automated teller machines at two financial institutions, in the only acknowledged case of malicious code penetrating ATMs. The cash machines, made by Diebold, were built on Windows XP Embedded, which suffered from the RPC DCOM security hole Nachi exploited. In response to the incident, Diebold began shipping new Windows-based ATMs preinstalled with host-based firewall software, and offered to add the program for existing customers.

Though ATMs typically sit on private networks or VPNs, supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.

Last year’s Slammer worm indirectly shut down some 13,000 Bank of America ATMs by infecting database servers on the same network, and spewing so much traffic that the cash machines couldn’t processes customer transactions.

The goal of the ATM cyber security best practices document, which has not been made public, and a related white paper developed by GASA, is “to be proactive in fighting what might be the next wave of ATM crime – namely cyber attacks,” said Mike Lee, founding coordinator of the group, in a statement.

GASA’s members include fraud prevention agencies, financial industry associations, the US Secret Service, Visa and MasterCard, and some ATM networks and manufacturers, including Diebold and NCR.

http://www.newsisfree.com/iclick/i,60511486,1393,f/

Read more

Microsoft to back customers in infringement cases

Posted on by admini

The company said the protection extends to current and older versions of its software, including its Windows operating system, Office desktop software and SQL Server database. The company already offers unlimited protection to its volume license customers but is adding the indemnity for customers who buy its key products in other ways, such as from a computer maker or even off a retail shelf. “When we looked at things, there was no reason not to provide that coverage to all those folks as well,” said David Kaefer, director of intellectual-property licensing for Microsoft.

The protection covers four main types of claims: patent, copyright, trade secret and trademark. The protection extends to nearly all of Microsoft’s products, with the main exception being embedded versions of Windows, largely because customers are able to modify the code.

Of course, it’s not just altruism that motivates the software maker. The company plans to make indemnity a new plank in its “Get the Facts” campaign, which touts the advantages of Windows over Linux. Chief Executive Steve Ballmer talked about indemnity as a key differentiator during Tuesday’s shareholder meeting. “We enhance the intellectual-property indemnifications we give our customers,” Ballmer said at the meeting. “We can stand behind our products in a way that open source can’t because they have no one standing behind them.”

Kaefer said the argument is resonating with some customers who are concerned about liability. “More and more customers are realizing you don’t get what you don’t pay for,” he said.

Hewlett-Packard and Novell have offered liability protection to some Linux customers, but both Microsoft and analysts note that most of the protections from the Linux vendors are more limited.

Last year, Microsoft lifted a cap for its volume-licensing customers that had limited the dollar amount of protection Microsoft offered its customers against intellectual-property claims resulting from their use of Microsoft software.

Microsoft has been beefing up its own intellectual-property portfolio, a move that Kaefer said does make it easier for Microsoft to offer such protections. “The reason we are able to do this at all is because we have done some of the things that you have to do earlier in the process,” he said.

As part of the announcement, Microsoft highlighted two customers–Regal entertainment and ADC Telecommunications–that said that indemnity was key to their choice of Windows over Linux. “We simply aren’t interested in having to worry about potential legal risks of deploying Linux in this environment,” ADC Telecommunications manager Jamey Anderson said in a statement.

http://news.com.com/Microsoft+to+back+customers+in+infringement+cases/2100-1014_3-5445868.html?part=rss&tag=5445868&subj=news.1014.5

Read more