Security News Curated from across the world
Virus and hacker attacks have shot up by 20% in the first six months of this year, according to security experts.
With companies experiencing an average of 38 attacks a week, ensuring these vulnerabilities in systems are patched or fixed, is “critical” to their survival.
To protect themselves, companies and home users need to use a combination of protective safeguards.
More info: [url=http://news.bbc.co.uk/2/hi/technology/3154806.stm]http://news.bbc.co.uk/2/hi/technology/3154806.stm[/url]
CIOs should provision contingencies for business continuity and address the disaster recovery and continuous availability of systems to minimize the impacts of outages and to further ensure the IT organization’s credibility.
A note of caution, however: two-hour recovery time objectives (RTOs) are typically 10x regular operating costs.
Short-term vs. long-term compliance activities: Some CIOs will find it in necessary to provide for a longer implementation period in light of their organization’s respective risk profile, level of resilience, and unique business circumstances.
Bottom Line: CIOs must commit to robust recovery capabilities and prepare the ITO to respond to a wide-scale disruption by adopting sound BCP and DR practices.
META Group originally published this article on 29 October 2003.
More info: [url=http://techupdate.zdnet.com/techupdate/stories/main/Banking_on_IT.html?tag=tu.scblog.meta.6673]http://techupdate.zdnet.com/techupdate/stories/main/Banking_on_IT.html?tag=tu.scblog.meta.6673[/url]
When it comes to budgets, less can be more.
Compare, for instance, your security budget with the annual salaries of professional football players. You’ll find that both are based on tangible and intangible valuations.
For many CSOs, their departments’ cost-center status is not just an accounting designation, it’s a state of mind. The good news is that the CSO is no longer the corporation’s poor relation.
In a worldwide study conducted by CIO (CSO’s sister publication) and PricewaterhouseCoopers released in October of this year, approximately 7,500 CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security were polled on their security spending habits.
When asked to compare their 2003 security budgets with 2002, 45 percent of the survey’s respondents indicated that their budgets would increase a little, with 17 percent claiming that the increase would be significant. Only 8 percent of respondents said that their budgets would decrease.
It turns out that increasing funding is not just a wish or a goal for the CSO, it’s a strategic initiative. A full 30 percent of respondents reported that one of their top strategic objectives is to expand that budget even more.
When respondents were asked what factors presented a barrier to good security measures at their organizations, a limited budget far outweighed any other response.
Tips:
– Be the Chief Self-Esteem Officer
CSOs need to be calm, deliberate and forceful.
– Don’t Pass the Buck, Pass the Check
Look at exactly what is included in the security budget. Are there projects and programs that shouldn’t be there? CSOs must do the legwork of selling business units on the benefits of new security technologies and programs.
– Practice Pavlovian Security
CSOs can save themselves considerable budgetary wrangling when they lean on policies, procedures and behavior modification techniques instead of expensive technology solutions.
– Become a Fast Follower
Security is one area where there is no prize for first place. That’s especially true when CSOs waste their budgets on new technologies that aren’t quite ready for prime time.
– Communicate Early and Often
CSOs may be good at talking with their teams, but when it comes to their executive peers, they’re typically not as skilled.
– Believe in Vendors
Turn those arm’s-length relationships into strategic partnerships, you can squeeze a much greater benefit out of the money you’re already paying them and offload security tasks that you don’t have the budget to do in-house.
– Use People, in a Good Way
“I would rather pay more money and have less officers than have a whole bunch of officers that don’t know what they’re doing”
Security doesn’t have to make money—most of the time it’ll be a cost. One area that most CSO agree is ripe for finding cost savings is in guard contracts. That’s challenging because guards become “an emotional fixture.”
More info: [url=http://www.csoonline.com/read/110103/money.html]http://www.csoonline.com/read/110103/money.html[/url]
The audit must be conducted by an independent party and assess “the risk and magnitude of the harm that could result from the unauthorised access,” alteration or destruction of company computers, says the draft, prepared by Representative Adam Putnam.
“Given the magnitude of the threat and the depth of the vulnerabilities that exist today, it is imperative that we address this matter aggressively and collaboratively in order to enhance the protection of the nation’s information networks on behalf of the American people and the US economy,” Putnam said in a statement this week.
Miller said the final recommendation could include legislative, regulatory or self-regulatory approaches.
More info: [url=http://news.zdnet.co.uk/business/0,39020645,39117721,00.htm]http://news.zdnet.co.uk/business/0,39020645,39117721,00.htm[/url]
The “critical update,” released late on Tuesday, applies to three of the four major applications in Office 2003–the Word word-processing program, the PowerPoint presentation application and the Excel spreadsheet software, according to a Microsoft bulletin.
The problem happens when a document created with one of those applications is opened with an earlier version of Office.
If the document contains graphics elements created using the OfficeArt tool, the earlier version of Office will misinterpret that part of the document and add invalid data to the file when it is saved.
An attempt to re-open the file with the Office 2003 application that created it could result in a corrupted document, missing content or other errors.
More info: [url=http://news.com.com/2100-1012_3-5103267.html]http://news.com.com/2100-1012_3-5103267.html[/url]
Most implementations of WPA, in order to make use of the cryptography accessible to unsophisticated users with normal home computing equipment, allow users to enter a common shared phrase into a WPA user interface on the computer.
Other key management techniques are available to WPA, but these generally require more expensive and complex network management equipment, such as authentication servers.
Moskowitz states that after sniffing a few packets of data from certain points in Wi-Fi standard communication, an attacker could use a “dictionary attack” on the data offline in an attempt to guess the passphrase.
According to Moskowitz: “A key generated from a passphrase of less than about 20 characters is unlikely to deter attacks.
More info: [url=http://www.eweek.com/article2/0,3959,1375027,00.asp?kc=EWRSS03119TX1K0000594]http://www.eweek.com/article2/0,3959,1375027,00.asp?kc=EWRSS03119TX1K0000594[/url]