Idenitification flexibility
CA hierachy
Cross Certification
Revokation
Other organization’s revokations
Liability
Idenitity Provisioning
Organization
Economic Model
http://www.ebcvg.com/articles.php?id=271
SANS unveils top 20 security vulnerabilities
The SANS list is compiled from recommendations by leading security researchers and companies around the world, from institutes such as the National Infrastructure Protection Center and the U.K.’s National Infrastructure Security Coordination Centre.
The Top-20 is actually two lists of 10: the 10 most commonly exploited vulnerabilities in Windows, and the 10 most commonly exploited vulnerabilities in Unix and Linux.
Many of the vulnerabilities have made the list before, but there were some surprises this year, according Ross Patel, director of the Top-20 list. As with IM, file-sharing applications are simple and operational in nature, and security concerns are often overlooked, Patel said.
“Hands down, Web browsers for Windows were the topic that caused most of the harm, pain and passionate debate for experts from every continent,” Patel said. With the number of vulnerabilities in Microsoft Corp.’s Internet Explorer browser prompting some security experts to suggest earlier this year that users switch to other browsers, list contributors were left wondering whether they should recommend the same, Patel said. However, they finally decided that the move was too much to ask and that they should endorse securing whichever platform a user chooses.
According to Gerhard Eschelbeck, chief technology officer at network security firm Qualys Inc. and a list contributor, the Top-20 is widely used by organizations as a security benchmark.
http://www.computerworld.com/securitytopics/security/story/0,10801,96516,00.html
ISD Conference ’04: Regulatory compliance in the real world
“Regulations recognize you can’t protect yourself from everything,” Proctor told delegates at Thursday’s Information Security Decisions conference.
But, he acknowledged, their built-in flexibility also can work against an organization if controls aren’t mapped to a proactive, process-oriented security program based on an ongoing risk assessment.
Corporate governance-oriented SOX, which holds public companies’ top executives accountable for internal data controls, is especially vague on security.
The real deal with Sarbanes-Oxley: Perspectives for the security manager Delve below the surface and examine how SOX applies to the work done by the security manager.
Companies that must meet multiple regulatory laws should find common denominators and then roll out a security program based on the general legal requirements, such as record-keeping, incident reporting and following best practices.
Build a defensible case for anyone likely to challenge those controls, such as data owners and both internal and external auditors who ultimately decide who is and isn’t meeting security and privacy guidelines.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1013875,00.html
Hack attacks and spam set to increase
IT security spending is set to almost double from 2.5 per cent of overall technology spending to four per cent within the next four years, while spam is will increase from 17 billion emails today to 23 billion by 2007.
‘Almost half of emails will be spam related in the future,’ said Thomas Raschke, IDC’s program manager for European security products and strategies, speaking at the analyst’s 2004 Security Conference in London. ‘On average employees will use 10 minutes of their day identifying spam and getting rid of it. When you add this up businesses face massive losses connected to it,’ he said.
Rather than developing a reliance on new security products, IT directors need to realise the importance of enforcing security policies and run a risk analysis every month, especially when implementing higher risk technologies, such as mobile policies and peer-to-peer projects, says Raschke. ‘Security policies need to be checked and re-evaluated constantly. Firms should build in rules governing what people can access using the corporate network – it’s often an overlooked part of the business,’ he says.
But by undertaking proper risk analysis organisations may discover parts of the business that require less IT security spending than others. ‘Not everything needs to be one hundred per cent secure, for instance lots of information is shared with partners and customers on the internet,’ said Raschke.
A growth in malicious attacks, viruses and spyware will also lead to a 15.4 per cent increase in security software spending over the next four years, with firms investing more on intrusion detection, secure content management, firewall and VPN software.
‘It is easy to create maximum damage to systems with little effort these days, it’s as simple as going to an internet site and loading virus writing tools,’ said Raschke.
IDC also predicts spending on security hardware appliances will also grow by 23 per cent between 2003 and 2008, as IT departments look for methods to monitor all areas of IT security.
http://www.vnunet.com/news/1158623
Shifting cyber threats menace factory floors
PLCs are microprocessor-based systems programmed to make the timing and control decisions in machine automation that once required arrays of electromechanical relays.
On older systems, PLCs communicated over RS-232 serial lines — slow going, but relatively secure. But modern PLCs can plug right into a plant’s Ethernet, exposing them to whatever threats lurk therein.
Coming from an IT environment, Cupps hoped to find that the control systems at his company’s plants were protected by at least as much security as a Windows desktop. The controls systems at Cupps’ company are made by Rockwell Automation, but Cupps hastens to point out that the absence of authentication on PLCs is an industrywide problem, and not at all limited to one particular vendor.
Other experts agree, and say the root cause is historical: the control systems rely on protocols and industry standards that were built for dedicated serial lines – not shared TCP/IP networks.
“It’s script kiddy material to control PLCs,” says Eric Byres, a researcher and critical infrastructure security specialist at the British Columbia Institute of Technology (BCIT).
The implications are disturbing to Byres and Cupps; in factories across the globe PLCs control pumps, conveyer belts, paint sprayer booths, welding machines, motors and other equipment. “We found numerous ways to perform single-packet denial of service attacks against PLCs,” says Byres.
The 13 cyber security incidents logged between the years 1982 and 2000 were almost all attributable to accidents, inappropriate employee behaviour, or sabotage by disgruntled employees.
Processer Power Issues In a lot of those external attacks, control systems were merely collateral damage from IT issues like worms, “because we have Windows running all over the plant floor,” says Byres. Michael Bush, security program manager at Rockwell Automation, acknowledges that Ethernet-enabled control systems “change the rules significantly” from the days of dedicated serial lines.
For his part, Cupps says he took emergency measure to shore up the control systems at his company, then committed to a massive reorganization of its networks, putting the factory floors on their own subnets, adding firewalls between them, and installing intrusion prevention systems, among other things.
http://www.securityfocus.com/news/9671
IDC sees IT rebound in Europe
According to research from analyst firm IDC, nine million IT workers and their companies in the Europe, Middle East and Africa (EMEA) region are already generating more than $200bn in tax receipts. And that number is expected to grow.
“We are in the midst of an IT rebound in EMEA,” said Thomas Vavra, software and consulting manager for IDC. “Western Europe was hit hard, but emerging markets have mitigated losses and are expanding. “That’s a benefit for government because it will have less unemployment expenses and there will be a number of new people in IT.”
IDC surveyed 19 countries in the EMEA region. It predicted that IT spending is set to improve — the company said that by 2008 spending would reach a value of $360bn.
“We expect that over four years we will see a representation of new jobs connected with software,” said Vavra. “In many of the emerging markets, countries are moving away from infrastructure IT to software.” Vavra added that more than a third of 2004 tax revenues came about because of ‘the vast Microsoft ecosystem’. He said that for every dollar of Microsoft revenue in the region, another seven and a half were generated by companies, which sell technology to run on the company’s operating systems.
Countries examined in the study included: the Czech Republic; Hungary; Israel; South Africa; Austria; Denmark; France; Germany and the UK among others.
http://news.zdnet.co.uk/business/0,39020645,39168980,00.htm