CA Airs Wireless Manager

Posted on by admini

WSM features a variety of wireless management functions to streamline the administration of 802.11x networks: automatic WLAN (define) discovery and mapping; automatic detection and disabling of unauthorized wireless connections; access point load balancing and automatic channel allocation; and WEP (define) key management.

To take advantage of this feature, network users need to install a WSM agent — which authenticates the user — on their laptop, PDA or other mobile device.

Sumit Deshpande, vice president of development in CA’s wireless solutions group, said enterprises have been for the most part good at securing their networks from wireless snoops or unauthorized users. “What we do is make it easier for enterprises to use those standard measures to protect their environment. ”

Deshpande said the next version of WSM will be available in the next six to nine months, with 802.11i — the Wi-Fi security standard slowly wending its way through the Institute of Electrical and Electronics Engineers (IEEE) process — support at the top of the list.

http://www.wi-fiplanet.com/news/article.php/3429691

Read more

Counting the cost of security training

Posted on by admini

This quickly adds up to a rather tidy sum for managers trying to maximize their often decreasing budgets. They believe that if they provide training for their analysts that they will lose them to other firms.

While this can be a very valid argument, it is also one on the razor’s edge – by that I mean you run the risk of your employee becoming irritated at any lack of investment in them and their future, and they simply leave.

As a security analyst, for example, you must not only stay current with technology, but also improve your core skill set.

Right or wrong, many employees believe that it is up to the employer to provide that training – and with that same reasoning, most believe it should not be the employee who pays out of pocket for these courses.

Reality dictates that most companies simply do not provide adequate training for their staff simply due to financial constraints – and in fact, it may not be important to their long-term objectives.

If you own or manage staff in a small-to-mid size company, it would pay you great dividends to set aside some money for training. These initiatives would show your next prospective hire that you are definitely serious about helping to maintain their skills and investing in them as an employee. It is largely due to the fact that because the latest worm or virus has not affected them, and thus they do not see the need to provide training for their security staff. However, we all know that the very reason they were not affected is because they had trained and competent security staff.

For the many people out there who pull double or triple duty at times, getting the latest training is even more important.

Nowadays having the system administrator deal with related technology such as routers, in addition to all his other security functions, is all too common.

Learning on the job is a good way to learn, but it still cannot replace the proper training – yet so few want to shell out the money for it.

I believe this is why you see so many network security jobs with an insanely long list of required skills, often starting with a particular certification.

http://www.theregister.co.uk/2004/11/05/cost_of_security_training/

Read more

RSA sees looming identity crisis online

Posted on by admini

“You’re talking about hundreds of thousands of people who need to be authenticated,” Andrew Nash said at the RSA Conference in Barcelona. “If we can’t adopt quickly enough, the Internet will become known as a very unsafe place. People won’t have confidence in it and (companies) will bail out, if not put their technology on hold.”

Nash said identity fraud, such as through phishing scams, was partly to blame, and that it was difficult to moderate online identities. How do you know who the end users are? Without having the guarantee of identities, there is a big block to having more e-commerce.”

Phishing, in which fraudsters fake their identity to lure victims into submitting their personal details, has played a large part in identity theft. Customers of many major banks and e-commerce sites, such as eBay, have been the targets of such scams.

Nash said the Liberty Alliance, a user-based security group with members such as AOL, MasterCard and American Express, was trying to push for an identity federation through which companies could share authentication methods, but retain a certain amount of authority.

RSA Security, an electronic security firm in Bedford, Mass., is an active member in the Alliance, and the company said that there were around 30 other organizations trying to solve identity problems on the Internet.

Nash added that organized crime gangs were already targeting businesses to build an e-crime network that fed on e-commerce. “I was at a demonstration recently where there was a lot of interest in Internet monitoring on behalf of law enforcement,” he said. “(It) showed there was a serious amount of organized criminals moving toward specific targets. They were building a system to defragment vendors and business in coordinated attacks.”

http://news.com.com/RSA+sees+looming+identity+crisis+online/2100-7348_3-5440974.html?part=rss&tag=5440974&subj=news.7348.5

Read more

Greatest security risk: Social engineering, says Gartner

Posted on by admini

Gartner defines social engineering as “the manipulation of people, rather than machines, to successfully breach the security systems of an enterprise or a consumer”. This involves criminals persuading a user to click on a link or open an attachment that they probably know they shouldn’t.

Rich Mogull, research director for information security and risk at Gartner, said social engineering is more of a problem than hacking. “People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioural tendencies that can be exploited with careful manipulation.” “Many of the most-damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking,” said Mogull.

According to Mogull, identity theft is a major concern because more criminals are “reinventing old scams” using new technology. “Criminals are using social engineering to take the identity of someone either for profit, or to gather further information on an enterprise. This is not only a violation of the business, but of someone’s personal privacy,” said Mogull.

Rob Forsyth, managing director at Sophos in Australia and New Zealand, told ZDNet Australia about a ‘malicious and cynical’ scam that recently targeted unemployed Australians. According to Forsyth, the potential victim received an email that purported to come from Credit Suisse bank advertising a job opportunity. The email asked the recipient to go to a Web site that was an almost exact replica of the actual Credit Suisse site — but this version contained an application form for the ‘vacancy’. Forsyth said the replicated Web site was recreated so thoroughly that it took experts ‘some time’ to confirm that it was actually fake. It took us some time to determine it was a fake site. It was not necessarily groundbreaking but quite a clever combination of technology.

“They are targeting those people in the community that are most in need — those seeking work. It is exactly those people that might be vulnerable to this kind of overture,” said Forsyth.

http://news.zdnet.co.uk/internet/security/0,39020375,39172157,00.htm

Read more

Vendors promise solid tech support, but our test found long hold times and poor advice

Posted on by admini

Robust, exciting technology may be the spark that brings vendors and customers together, but support is the stuff of long, happy relationships. With a malware storm always on the horizon, you’d expect AV vendors to have among the best customer support programs.

The last thing you’d expect is having to wait an eternity on an 800-number listening to Burt Bacharach melodies only to tell your problem to a call center operator with a checklist of questions and stock responses.

But that’s exactly what Information Security found disturbingly often in our review of leading AV vendors’ customer support.

Information Security graded each on the entire support experience, putting the greatest weight on the ability to solve our test problems (see “Report Card”).

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1005,00.html

Read more

Companies under security pressure

Posted on by admini

Failure to patch and update systems effectively after the identification of known threats is the single largest operational risk UK-based companies with operations overseas and more than 5,000 employees.

A third of the sample of 40 senior UK-based IT security personnel said it took more than six hours to contain a new threat across their organization.

A quarter (25 per cent) saw Distributed Denial of Service (DDOS) attacks as the single largest risk to their business, whilst laptop and Personal Digital Assistants (PDA) theft was the key concern for 8.3 per cent of respondents.

Application-level threats are by far the most significant emerging threat for large companies this year, with 58 per cent of the sample stating that attacks against enterprise apps gave them the fear.

The Sarbanes-Oxley Act is seen as having the most impact on enterprises’ information security management planning in 2004 with 36 per cent of the sample giving this a top rating.

BS7799-2:2002, the government’s gold standard for information security, came in third with just 19 per cent even though it was rated as the best framework for defining companies’ Information Security Management Systems by the security pros quizzed by NetSec.

David Howorth, sales director of NetSec UK Limited, commented: “The findings illustrate that large enterprises already recognise that they are buckling under the strain of the workload created by new vulnerabilities and threats.

http://www.xatrix.org/article3680.html

Read more