WARNING! Adobe warns users about Reader and Acrobat security flaw

Adobe is urging users to be cautious when handling PDF files after hackers used a flaw in Adobe Reader and Adobe Acrobat to attack users' systems.

In a security bulletin, Adobe said it had received reports of attacks targeting a previously unknown flaw in Adobe Reader and Acrobat.

When exploited, the flaw allows an attacker to execute code and steal data on systems remotely.

The issue is believed to affect version 9.0 and earlier of both applications. The way the programs handle JavaScript within PDF files is said to be the problem.

Adobe expects to issue a patch for the problem by 11 March but I would like to say “I am not holding my breath here”.

Let's face it; this is not the first problem that has been with the Adobe Acrobat Readers. We have had holes like this before an d it took a while before any patched were available.

It is a shame that the Open Source PDF readers are not as yet all ready to do the same as Acrobat Reader when available for Windows. In most cases the readers for Linux can do exactly the same as Adobe Reader and even better some of them.

Michael Smith (Veshengro), February 2009

Absence of Evidence Does Not Equal Innocence

By Paul Thackeray, VP EMEA, Barracuda Networks

Imagine, for a moment, that the delete button on the email client of all of your employees was permanently disabled. This would mean that your email users would be forced to save and organize their email into various folders within the email client, and then when their email file reached quota, your IT team would have to move all the old email into large PST files or other forms of backup. This now means that you have email scattered all over the network in any number of stores. Now imagine that your organization is implicated in a lawsuit and the attorneys for the plaintiff have issued subpoenas for all of your electronic records, including email, related to the lawsuit. How do you access those emails?

Well the good news in this scenario is that you at least have all of the email. Often businesses operate under the assumption that if there is no record of the topic in question, then they cannot be held responsible. This is simply not true. Businesses that delete email, even as part of standard business practice, but that have no way of retrieving it in the future, can still be held liable for the information contained within the deleted email. Simply having all of the email, however, is only half the battle. Companies must also have mechanisms in place to quickly search and retrieve the emails in question

While the suggestion that a disabled delete key may seem like an extreme scenario, the concept behind it is important: Business email should not be deleted until the organization has some way to archive and, more importantly, retrieve email.

Archiving for the rest of us

Organizations in heavily regulated industries, such as the financial, government and healthcare industries were among the first to put policies and solutions in place in order to satisfy regulatory standards for their specific markets. But all organizations, no matter what vertical, need to very carefully assess what risks they face by not saving email.
It is an unfortunate fact that most organizations will at some point in the course of normal operations be implicated in lawsuits. Litigation discovery, or e-discovery, involves all parties in a lawsuit and requires that all data or information relevant to the lawsuit be provided as requested by the court of law. The cost of finding and producing such information can often outweigh the actual damages claimed in the lawsuit itself. This is most often the case for companies that are not using an email archiving solution.

Key features to look for

Message archiving solutions should have the ability to full index all email to enable simple search and retrieval of emails containing specific key words in an e-discovery request as well as for corporate policy control. Retention policies are also a key factor when determining which solution fits the needs of the organization; archiving solutions should have the storage capacity to keep email records for long periods of time in order to satisfy regulatory compliance standards. All functionality should be organized via a simple user interface that is easy for the administrator to use, but that also captures a high-level glimpse into the performance of the message archiving solution that can be easily demonstrated to management or legal counsel.

The bottom line: there is no single reason for implementing an archiving solution. But one thing is for certain, email must be retained by every organization that relies upon it as one of its main business communication channels. Deploying an easy-to-use solution will save a lot of time and resources for the organization in the long run. Further, it is a much simpler, and more practical solution than disabling the delete key on the email client.

Barracuda Networks is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy: Inforsecuroty PR

A Security Experts Guide to Web 2.0 Security

by Roger Thornton Fortify Software CTO and Jennifer Bayuk, formerly CISO of Bear Stearns

Web 2.0 has brought new life to the online world

Web 2.0 has made the Web a livelier and friendlier place, with social Web sites, wikis, blogs, mashups and interactive services that are fun as well as useful. There are two Web 2.0 concepts that change the game for CISOs, and that they need to understand. The first is the introduction of rich client interfaces (AJAX, Adobe/Flex) while the other is a shift to community controlled content as opposed to publisher consumer model. Both have serious security issues.

It’s all good news about Web 2.0, right?

Yes, unless you happen to be responsible for securing the Web 2.0 environment for your business or enterprise. Then, you might just lament that we’ve taken the data-rich server model of the 1970’s and grafted it onto the interface-rich client model of the 1980’s and 90’s, giving us more capabilities but also a more complex—and vulnerable—computing environment.
We have to deal with the problems traditionally encountered using interface-rich clients—viruses, Trojans, man in the middle attacks, eavesdropping, replay attacks, rogue servers and others. And all of these apply to every interface in a Web 2.0 mashup, which could have dozens of clients in one application.

In addition, the user community has changed from being simply indifferent to being willfully ignorant of the value of information. Users willingly post the most revealing details about their employers and their professional lives (not to mention their personal lives) on MySpace, Facebook, LinkedIn and Twitter—information that is easily available to just about anyone.
The problem is painfully obvious for the security professional: More complexity and openness creates vulnerabilities and opportunities for attack and the release of confidential information. This all results in more headaches for security professionals who have to be vigilant in order to keep their IT environments secure.

What’s a CISO to do?

Although some companies have tried all options, you can’t easily write your own browser, isolate your users from the Web, or control everything that happens on their PC desktop. However, there are steps you can take that can seriously improve your odds of winning the battle over Web 2.0 vulnerabilities.

For community controlled content:

1.Educate yourself and your company, developers, vendors and end users about Web 2.0 vulnerabilities. Institute a clearing process for the use and inventory of new Web 2.0 components before they are incorporated into your business environment.
2.Segregate users’ network access for those who need and those who don’t need access to social networking sites.
3.Establish a policy identifying inappropriate professional topics for public discussion on the Web or through online social services.
4.Create desktop policies and filters that block, as much as possible, interactions with unknown and untested software.

When deploying rich client interfaces:

5.Assign a cross-functional team to work with software development and application owners to educate themselves on the risks of incorporating Web 2.0 components into applications. Have your own developers recognize and control the use of potentially vulnerable tools such as ActiveX and JavaScript.
6.Require your vendors to meet secure coding standards.
7.Vigorously stay on top of vulnerabilities and exploits. Use your Web 2.0 inventory to establish a quick response plan to mitigate software as issues arise.

Fortify is taking the lead in educating Web 2.0 developers about the security vulnerabilities of their sites and services. Fortify’s Resource Center helps educate Web 2.0 developers about the security vulnerabilities of their sites and services by publishing the latest research in software risk mitigation, application vulnerability detection, and best practices in secure software development. Check it out to ensure you stay up-to-date on the latest security vulnerabilities and defenses against them.

For further information visit http://www.fortify.com/cisoguides/

Fortify is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Infosecurity PR

GSS called in by combined Navies to stamp out Somali Pirates

UK Company GSS called in by combined Navies to stamp out Somali Pirates

Worthing 16th February 2009 – A European navy has recently deployed a Maritime Boarding system which has been developed by Systematic of Denmark with UK based IT security consultancy firm - Global Secure Systems (GSS), and Rajant Corporation of the USA to stamp out the threat of Somali Pirates.

This comes at a time when the International Maritime Bureau recently released it’s annual piracy report confirming the increase in piracy around the world, and particularly a 200% increase off the coast of Africa where there were 111 attacks reported last year, with 49 vessels hijacked. These include the high profile Faina, which has a cargo of T-72 tanks, the Saudi owned supertanker, the Sirius Star, recently released for an undisclosed ransom. This is a very serious issue, not just for ships and their cargo, but for the crew. In 2008 nearly 900 crew members were taken hostage, 32 sailors injured, 11 killed and 21 missing, presumed dead. In January 2009 alone 3 vessels in the region have been hijacked and there have been nearly 20 reports of attacks in the region.

Navies from around the world have formed the Combined Task Force 150/151 in a bid to thwart the pirates and make an important international waterway safely navigable. Whilst the Combined Task Force has been in the region since 2002, there has been a change of emphasis to piracy patrols since 2006.

The challenge for all the law enforcement agencies in the area is the need to intercept a suspect vessel quickly, detain it, board it and establish if it is a hostile, or a non hostile vessel. The actual pirate ships involved in hijacking the Sirius Star and Faina are only small fishing vessels – not The Black Pearl or other “traditional” pirate ships. The days of flying the Jolly Roger are long gone! This needs to be done swiftly to ensure minimum risk to the boarding party. The interception is done by one or more high speed rigid inflatable boats (RIB), with a team of boarding operatives on, launched from a Mother ship. This may be backed up by helicopter, if the Mother ship is large enough to carry one, or calls in this added level of support.

The system is deployed to enable the Navy team to board a suspect Pirate vessel and search for arms or other suspect cargo, whilst providing a live video and voice feed back to the Mother ship. In addition to the real time live feed, data can be sent back to the mother ship enabling biometric tasks like finger printing and photographs to be done in real time. In theatre the Navy has been able to have an Interpreter on the bridge of the Mother ship listening to everything being said on the boarded pirate ship and advise the boarding party, in real time, of what is being said. The result is a much quicker and safer inspection of potential pirate vessels in the region. When used in action the system has helped confiscate rocket propelled grenades and AK-47s machine guns, arrest pirates and sink their vessel before handing the pirates over to the local Coast Guard.

The system itself uses a mix of commercial off the shelf products, with purpose built applications, to ensure the best mix for the Navy of both cost and functionality. Using rugged, secure WiFi equipment from Rajant, a high bandwidth data network can be established very quickly and automatically using unique meshing technology, between the Mother ship and smaller fast moving RIBS, and even helicopters. The key advantage is an increase in situational awareness for command and control.

For operational reason’s we are unable to provide details of the Navy vessel involved.

David Hobson Managing Director of Global Secure Systems said “We are delighted to be involved in such a significant project where at last the problem of Somali pirating can be stamped out. The WiFi meshing technology is a highly secure and cost-effective solution for our client Navy. Used as a core part of the Systematic Sitaware Maritime Boarding system, it has proved its worth on its first engagement in theatre. We already provide secure WiFi equipment to many other security agencies and we look forward to providing these off the shelf solutions for other agencies including emergency responses, civil defence and counter-terrorism, as it can be successfully and inexpensively adapted for different situations.”
For more information visit www.gss.co.uk

Yvonne Eskenzi - Eskenzi PR

Cyber-Ark Posts Record Results and wins 500th customer

Cyber-Ark Posts Record 2008 and Achieves Major Milestone with 500th Customer Win

Company Signs More Than 130 New Global Customers; Achieves 40 Percent Year over Year Revenue Growth

London, February 2009Cyber-Ark Software, the leading provider of solutions for Privileged Identity Management (PIM) for securing privileged user accounts and highly-sensitive information across the enterprise, today announced it added more than 130 new global customers in 2008, including Kaiser Permanente, which marked the company’s 500th customer win. Cyber-Ark’s expanded partnerships, growing customer base and proven information security products fuelled the company’s record 40 percent year over year revenue growth.

“With insider threat and data breaches at an all time high, and auditors enforcing an increasingly controlled environment, companies cannot afford to take security risks with their core assets,” said Udi Mokady, President and CEO of Cyber-Ark Software. “As demonstrated by our 2008 growth, the world’s most well-known brands continue to turn to Cyber-Ark to secure their privileged identities and sensitive data. With the ability to quickly demonstrate the value of our products on enterprises’ security and compliance requirements, we are confident about the outlook for 2009 as we continue to enhance our products to meet customers’ increasingly complex security needs.”

Significant Enterprise Customer Growth

Cyber-Ark recorded significant corporate growth and market expansion in 2008, with an impressive 130 new customers added in the US, Europe and Asia-Pacific. Cyber-Ark expanded its already-strong portfolio of customers in sectors such as financial services, retail, energy and government.

Specifically, new customers in 2008 included Ann Taylor, Mass Mutual, the MAN Group, American Express, Fortis Bank, DBS Bank, GameStop, Pizza Hut, Aviva, Progressive Insurance, McCormick & Company ,and Bvlgari. Cyber-Ark also extended its relationships with existing customers such as Barclay’s, Williams Companies and ING.

Cyber-Ark has closed 15 deals with Fortune 100 companies in the past six months, most recently adding one of the world’s largest and most influential banks in a seven-figure deal. With this win, more than 35 percent of the Fortune 50 have selected Cyber-Ark, making the company the Privileged Identity Management partner of choice for the financial industry.

Product Enhancements and Industry Recognition

Cyber-Ark launched a number of product enhancements over the past year, and was recognized with several high-profile awards recognizing the value, performance and customer satisfaction delivered by its solutions. Cyber-Ark announced version 5.0 of the Inter-Business Vault®, its widely-used Managed File Transfer solution, along with the Enterprise Password Vault™ 4.6, which delivers a new level of support for securing App2App identities. Cyber-Ark’s Enterprise Password Vault was named the winner of Network World magazine's first ever "Clear Choice Test" for Privileged Account Management (PAM) products. It also received SC Magazine’s 5 out of 5 star group test rating and "Best Buy" award rating for password management products.

Strategic Partnerships

In addition to its customer momentum, Cyber-Ark continued to expand its global presence through strategic partnerships. The company recently joined Check Point’s Open Platform for Security (OPSEC™) Alliance Program. As a member of the OPSEC alliance program, Cyber-Ark has demonstrated the ability to integrate Inter-Business Vault with Check Point security solutions, allowing joint customers to safeguard data exchanged through its product.

Cyber-Ark® Software is the leading provider of Privileged Identity Management (PIM) solutions for securing privileged user accounts and highly-sensitive information across the enterprise. Long recognized as an industry innovator for its patented Vaulting Technology®, Cyber-Ark's digital vault products include: The Enterprise Password Vault® for the secure management of administrative, application and privileged user accounts; the Inter-Business Vault®, a secure infrastructure for cross-enterprise data exchange of highly-sensitive information, and the Sensitive Document Vault™ for secure storage and management of highly-sensitive documents. Cyber-Ark's Vaulting platform has been tested by ICSA Labs, an independent division of Cybertrust and the security industry's central authority for research, intelligence, and certification testing of security products. Cyber-Ark's award-winning technology is deployed by more than 500 global customers, including 100 of the world's largest banks and financial institutions. Headquartered in Newton, MA, Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com.

Yvonne Eskenzi, Eskenzi PR

Interxion Partners with Espanix, Southern Europe’s Leading Internet Exchange

Interxion, a leading European operator of carrier-neutral data centres, and Espanix, the leading Internet exchange in Southern Europe, today announced a partnership agreement that will extend the Espanix exchange infrastructure into Interxion’s Madrid data centre. The agreement will allow Interxion’s Madrid customers to reduce latency and transit costs by peering directly with Espanix, while Espanix members will be able to expand their applications infrastructure in the security of Interxion’s 4,000m2 facility. The new Espanix infrastructure will go live at the beginning of March, and a number of Interxion customers have already signed up.

“For us, connecting to Espanix makes perfect sense, said Rubèn Bouso, Technical Director of Dinahosting, one of Spain’s fastest growing hosting companies, and one of the first Interxion customers to connect to Espanix. “We have a constant need to improve the quality of user experience for our customers, and the lower latency we get from peering at Espanix, in combination with the cost reduction in our IP traffic, makes very good business sense.”

Espanix ranks among Europe’s largest internet exchange points measured by traffic volume, handling more than 125 Gigabits per second. It is the 15th European Internet exchange to locate in one of Interxion’s 24 European data centres, and its members now join Interxion’s pan-European community of over 500 connected carriers and ISPs.

"By enabling our customers to exchange IP traffic with Espanix’s members and vice versa, both groups will benefit, and our position as one of Spain’s leading connectivity hubs will be strengthened,” said Robert Assink, Interxion Spain Managing Director. "At Interxion, Espanix members can build out secure, serviced network and content delivery infrastructure as and when demand requires, and Interxion customers can gain improvements in quality and cost-effectiveness by peering directly at Espanix.”

Interxion is a leading European provider of carrier-neutral data centres. Headquartered in Schiphol-Rijk, The Netherlands, Interxion serves its customers from 24 carrier-neutral data centres located in 13 cities across 11 European countries. Interxion serves network and carrier-based, hosting and enterprise customers who require professionally managed and strictly controlled physical environments within which to operate mission-critical applications and computer systems. Interxion’s data centres offer cost-effective and fast access to multiple local and global communication networks.

Interxion is a Patron of Euro IX, the European Internet Exchange Association.

For more information please visit www.interxion.com

Espanix is a non-profit private association, composed of the 48 most important telecommunications operators in Spain. Their mission is to promote the exchange of Internet traffic in Spain. Founded in 1997, Espanix is the principal neutral Internet exchange in Spain and among the leading internet exchange points in Europe by traffic volume, handling more than 125 Gigabit per second. Espanix is a founding member of Euro-IX, the European Internet Exchange Association which joins 44 of the neutral Internet exchanges in Europe.

For more information please visit www.espanix.net

Source: Spreckley Partners Limited

Making the Best Use of Your Security Budget in Lean Times: Four Approaches

By Elizabeth Ireland, Vice President Marketing, nCircle Ltd

Many predict 2009 will produce the tightest economic conditions in decades. The subprime meltdown, tight credit markets and recession conditions will mean most CIOs will feel the downward spiral of the economy right where it hurts -- in their IT budgets.

Unfortunately, this also coincides with the most serious threat environment security professionals have faced. Hackers’ tactics are becoming more targeted. The increase in the number and business importance of web applications is generating additional enterprise risk. Budgets may get tight, but your responsibility remains the same: minimize risk.

It’s a tall order in the face of possible spending cutbacks, but because budgets are tight, you have to be focused on how to best reduce risk, and it definitely doesn’t mean less attention on security. In fact, at times like these, that may be the biggest mistake. The highest levels of an organization are asking their CIOs “how do we know we’re secure?” The only way you will know that is by understanding the risks, better understanding the ROI, and how it fits into not only your other IT priorities, but also adds to the company’s bottom line. Defending the security budget is always a challenge, but here are four approaches that can help.

1. Metrics make the most compelling argument. Ask yourself this question: Is your security risk going up or down over time and what is impacting it? This is baseline data that every organization needs and should be on track to monitor. If you cannot answer this clearly, realign your projects and priorities to make sure you can get this information on an ongoing basis. Every CIO should know at least three things: how vulnerable are my systems, how safely configured are my systems, and are we prioritizing the security of the highest value assets to the business? Though security metrics are in the early days of development and adoption, the industry is maturing and solid measurements are available. These areas can be assessed and assigned an objective numeric score, allowing you to set your company’s own risk tolerance and use that to make critical decisions about where to allocate funds. As you face increased budget scrutiny, the metrics allow you to identify – and defend as necessary-- where your security priorities are, and how security and risk fit into overall ROI.

2. Compare your baseline to others in your industry. The guarded nature of security data means CIOs trying to access this type of information will have to get creative. A good place to start is the Center for Internet Security -- their consensus baseline configurations can be used as a jumping off point to identify areas of risk. Vertical industry benchmarks will be an evolving area, and another source may be what you can learn from your personal relationships. Seek out others within your industry and find out what metrics they are using and what they are spending as a percentage of their IT budget. Risk tolerance is specific to each organization, but there are similarities within industries that could prove to be helpful.

3. Learn from other areas in your company. Many process-oriented disciplines can be a good area as a proxy for the type of evolution facing security; network operations are a good example. In the early days of network operations, the only scrutiny came if things weren’t working correctly. Over the years, it has matured to a level of operational metrics for uptime and performance, and is embedded in quarterly and annual performance goals. These metrics allow a continuous cycle of performance, measurement and improvement. In addition, network operations can provide an important lesson of single solution economies of scale. Find solutions that work across your entire enterprise—this is the only way to get economies of scale in implementation and ensure you get the critical enterprise-wide risk information that can deliver the metrics you need.

4. Take steps to automate your compliance process. Are you compliant and can you routinely deliver the reports that auditors request? The economic benefits that come from doing this correctly are significant. Audit costs are directly related to how complicated it is to audit and prove the integrity of a business process, so finding a way to save the auditors’ time is one of the single biggest opportunities to drive down costs. Even though your audit costs may be hitting the finance area’s budget, meet with your company’s finance team to understand what audits are costing you, and how the right kind of automation could lessen them and there will certainly be time and resource savings for the security team as well. There isn’t an exact recipe for compliance automation, so talk to your auditors, look at your environment, and begin the discovery of how much time is spent preparing for and reacting to audits. If you’re a company that allows your divisions to individually automate, it’s time to think about taking those principles enterprise-wide.

Regardless of budget conditions, you will still be faced with decisions on which projects have the biggest impact on the business. The threat environment requires that you make the absolute best decisions with your available budget by investing in the right places and getting better use of your resources. Lastly, remember that times of difficulty are often the times of opportunity. Lessons learned now in the face of tighter budgets can spark valuable models of efficiency and progress for the future.

nCircle Ltd is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy: Inforsecurity PR

Protection from Microsoft vulnerabilities

by Michael Smith

The operating system and its vulnerabilities is one thing that you, as the ordinary user, cannot do much about except for, and I am not an advocate of that really, downloading the Windows update patches and there are a number of reasons for that. Not the least one of them being that more than once now a patch from Microsoft has disabled one or the other software on my PC or one that used to run on the PC and now no longer does, such as the hardware encrypted USB sticks such as Sandisk Cruzer Enterprise and Data Traveler Black Box. The biggest laugh at the latter case is that MS then released a patch too correct the faulty patch – a hotfix. The problem is thought that the hotfix is fixing nothing, absolutely nothing.

It is obvious that I am not alone in this experience from those that use XP and who also have Cruzer Enterprise sticks that have stopped working. The failure of those USB devices is not due to any problem with the sticks themselves but with a Windows patch that messed things up and which is also non-removable.

On the other hand those vulnerabilities that come with, say, MS WORD, and MS OFFICE per se, in its various forms, can be overcome by using Open Source programs that do the same as those, such as Open Office. In addition to the fact that Open Office seems more stable than MS Word, for instance, I am, so far, unaware of any problems in the program, and, the best part, it is (1) totally compatible with MS Office files and saves them, if required, in that format too, and (2) it is a free program.

As for the problems with the operating system itself there too are other options available in the Open Source field, such as Linux, or others, and all those are also, as Open Office is, free.

What has to be said here is that Linux is NOT Windows and does not, necessarily, behave in the same way. For some, therefore, the use of Linux would be a learning curve of sorts though I cannot see any problems in that field.

Also Open Office is not MS Office, for instance, and some keyboard shortcuts, especially, are different to those in MS Office. However, they are very quickly picked up and I am sure that users will find Open Office as easy to use as MS Office. The advantage, once again, with Open Office is that it is not a proprietary software and can be installed from on CD, for instance, on as many computers as one would desire. There is no license fee payable and this makes it a great choice in today's climate; I am referring to the economic one and not the weather kind.

I have stitched from MS Word and Office some time back to Open Office and must say that I find Open Office easy to use and most things are as good as in MS Word, as far as the word processor is concerned. And added bonus, as far as I am concerned, is the “one click” PDF conversion that is built into Open Office and has been so for ages, making it in this way miles ahead of Microsoft and its Office program where, as far as I am aware, we do not, as yet, unless it is something that has come out in the latest version of Office, have that facility.

I will happily admit that one of my main reasons to go for Open Office was firstly that it is Open Source software and that, hence, I did not have to buy a license from deal old Microsoft it means that it was also free; free as in gratis. But, I am digressing again.

It seems to me that, primarily, unless I am very mistaken, those lapses with holes in software and those exploitable vulnerabilities, whether operating systems or other programs, seem to be a rather inherent problem with Microsoft. It always gets to me that they expect people to also pay for all those vulnerabilities that, in the end, can cause us problems.

While it is true that the likes of the Firefox browser – an Open Source Internet Explorer replacement – also, occasionally, has flaws, they get patched very fast and also the kind of protection that has been part of Firefox for a long time already Microsoft is only now bringing in.

Some would say that the reason that, for instance, Linux is free from viruses because there are no viruses written for it for the simple reason that it is not as common as Windows and Apple, the way I see it is also that Linux works differently and no changes to the kernel and such can be made without the administrator's password. Sure things like that could also be put into Windows? Makes you wonder as to whether some people are in cahoots with others to generate more money.

© M Smith (Veshengro), January 2009

Positive moves expected from Parliamentary Forum on E-Crime

Infosecurity Europe expects positive moves from next week's ISPA Parliamentary Advisory Forum on E-Crime

London, UK 17th February 2009 - Monday, 23rd of February, sees the Annual Parliamentary Advisory Forum on E-Crime taking place, with speakers including Alun Michael, the Parliamentary Under-Secretary of State for the Home Office and Detective Superintendent Charlie McMurdie of the newly-formed Police Central e-Crime Unit lined up to speak.

The organisers of the Infosecurity Europe Show, the number one dedicated information security event, say that they are expecting good things from the ISPA-sponsored forum.
"This event will effectively be the launch pad for the Police Central e-crime Unit (PCeU) and, judging from events in Parliament late last year, everyone will be watching DS McMurdie and how she sets the stage for the PCeU's initial focus," said Tamar Beck, Group Event Director, Infosecurity Europe.

"Late last year, during a debate on Internet fraud, MPs urged the government to look again at the seven million pound initial funding for the PCeU, with Conservative MP Nigel Evans noting that seven million pounds may not be enough," she added.

According to Beck, Evans' comments were echoed by Liberal Democrat MP Tom Brake who also noted that there are concerns that the initial funding will be enough to resource the PceU.

Home office Minister Alan Campbell, says Beck, has claimed that the PCeU will be supported by other bodies under the 29 million pound National Fraud Programme.
This, she explained, includes the National Fraud Strategic Authority (NFSA) and the National Fraud Reporting Centre (NFRC).

And, she says, since Campbell is on the same platform as DS McMurdie next Monday, it will be very interesting to see how things pan out.

Shadow crime-reduction minister, James Brokenshire, she added, has said that, whilst the Conservatives approve of the PCeU's creation, the UK is still not taking e-crime as seriously as it should.

"Brokenshire said in last November's Parliamentary debate that, whilst she welcomes the creation of the PCeU, its formation is an admission that the Government was wrong to get rid of the National Hi-Tech Crime Unit," she said.

"It will be very interesting to see how Alun Michael and Alan Campbell square up to these criticisms, but is also to be hoped that positive results come out of next Monday's ISPA-sponsored Parliamentary Forum," she added.

Ms Charlie McMurdie, Detective Superintendent, Police Central e-crime Unit, New Scotland Yard is speaking in a keynote on Who Should Police The Global Internet at Infosecurity Europe and Mr James Brokenshire MP, Shadow Crime Reduction Minister, Member of Parliament for Hornschurch is speaking on The Dynamics of e-Crime. For details of these keynotes and the full FREE education for Infosecurity Europe 2009 which takes place at Earls Court, London from 28th – 30th April 2009 visit http://www.infosec.co.uk

Infosecurity Europe, running for its 14th year in 2009, is Europe’s number one Information Security event. Featuring over 300 exhibitors, the most diverse range of new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe. Organised by Reed Exhibitions, the world’s largest tradeshow organiser, Infosecurity Europe is one of five Infosecurity events around the world with events also running in Belgium, Netherlands, Russia, and France. Infosecurity Europe runs from the 28th – 30th April 2009, in its new venue Earls Court, London. For further information please visit www.infosec.co.uk

Neil Stinchcombe, Eskenzi PR

Experts warn Cloud Computing may be safe harbour for malware

GSS warns that Cloud Computing may be safe harbour for malware

Global Secure Systems, the value-added IT security consultancy, has warned that Cloud Computing may turn into malware-fest after researchers have found a method of using the Amazon EC2 service as a BitTorrent host/downloading mechanism.

"Using P2P programs like BitTorrent has always been a risky procedure for PC users owing to the issue of infections arriving along with the pirated software and other executables. Reports have just come in, in fact, that BitTorrent is hosting a malware-loaded version of the Apple iWork software," said David Hobson, GSS' managing director.

"What is even more worrying, however, is the fact that researchers have developed a method of using the Amazon EC2 Cloud Computing service as a remote harvester and hosting system for BitTorrent files," he added.

This means, says Hobson, that hackers and other interested parties can simply use a prepaid (and anonymous) debit card to pay the $75 a month fee to Amazon and harvest BitTorrent applications at high speed with little or no chance of detection.

This, he explained, raises P2P filesharing to a whole new level, and is almost certain to dramatically increase the usage of BitTorrent - with all the risk the facility entails - amongst experienced Internet users.

"The danger here is that companies may find their staff FTP-ing files from Amazon EC2 - a completely legitimate domain - to the firm's computers, resulting in an internal computer infection. The consequences of this do not bear thinking about," he said.

According to Hobson, companies thinking of using Cloud Computing services need to think very carefully about extending their IT security envelope to counter this and other issues that arise from the use of the Cloud.

No-one could have envisaged the security risk of using a Cloud Computing resource as a BitTorrent harvester, but it has happened and companies need to be ware of the potential risk the technology now poses, he said.

For more on the use of Amazon EC2 as a BitTorrent harvester: http://tinyurl.com/77rogn

For more on GSS: http://www.gss.co.uk

Yvonne Eskenzi
Eskenzi PR

CREDANT sponsor Open Security Foundation to track breaches

Open Security Foundation and CREDANT Technologies Partner on Data Security Initiatives Sponsorship aims to educate on the state of the data protection industry

London 11 Feb, 2009CREDANT Technologies, the market leader in data protection solutions, today announced it has entered a partnership agreement with the Open Security Foundation, a non-profit organization dedicated to tracking and reporting security vulnerabilities and breaches of personal information.

The Open Security Foundation's DataLossDB, (http://datalossdb.org/) a research project that documents known and reported data loss incidents worldwide, recently announced the inclusion of the Primary Sources Archive. The Primary Sources Archive is a collection of breach notification letters sent to various jurisdictions.

“Though security breaches, hacking, identity theft and other types of data loss occur frequently, many of these incidents go unreported, ” said Michael Callahan, Chief Marketing Officer for CREDANT Technologies. “By collecting this vital information in one place, the Open Security Foundation is creating a means to educate the market on the state of data security today. The more knowledgeable companies, employees and solution providers are the better equipped we will all be to ensure critical data is protected."

"We think that this partnership will help bring more exposure to incidents that have affected millions of people across the world," said David Shettler, Vice President and Chief Technology Officer for Open Security Foundation. "CREDANT has offered to help us in our efforts to bring these incidents to light, and we hope people and organizations will take notice and consider what they might have to do to protect their personal information from misuse or harm."

Open Security Foundation’s Primary Sources Archive and database have been gathered by staff and volunteers, and are considered to be a leading resource of information for breaches involving the loss, exposure, and theft of personal information. Currently, OSF is accumulating more Primary Source documents via the Freedom of Information Act, which involves contacting various local and state governmental agencies.

The Open Security Foundation (OSF) is a 501(c)(3) non-profit public organization founded and operated by information security enthusiasts, formed to empower all types of organizations by providing knowledge and resources so that they may properly detect, protect, and mitigate information security risks. To that end, the Foundation has established the DataLoss Database, a free and open resource for the collection and dissemination of data loss incident-related information. For more information, visit http://datalossdb.org/.

CREDANT Technologies is the market leader in endpoint data protection solutions. CREDANT’s data security solutions mitigate risk, preserve customer brand, and reduce the cost of compliance, enabling business to “protect what matters.” CREDANT Mobile Guardian is the only centrally managed endpoint data protection solution providing strong authentication, intelligent encryption, usage controls, and key management for data recovery. By aligning security to the type of user, device, and location, CREDANT permits the audit and enforcement of security policies across all computing endpoints. Strategic partners and customers include leaders in finance, government, healthcare, manufacturing, retail, technology, and services. CREDANT has been recognized by Inc. magazine as the #1 fastest growing security software company in 2008 and 2007; was selected by Red Herring as one of the top 100 privately held companies and top 100 Innovators; and was named Ernst & Young Entrepreneur of the Year 2005. Austin Ventures, Menlo Ventures, Crescendo Ventures, Intel Capital, and Cisco Systems are investors in CREDANT Technologies. For more information, visit www.credant.com.

Yvonne Eskenzi, Eskenzi PR

New Risk IT Framework from the IT Governance Institute

IT Governance Institute Seeks Public Comments on New Risk IT Framework

Rolling Meadows, IL, USA, 11 February 2009 —The nonprofit, independent IT Governance Institute is seeking public comment on its new IT risk framework, which is based on the globally recognized COBIT IT governance tool set. Comments on Enterprise Risk: Identify, Govern and Manage IT Risk: The Risk IT Framework (Risk IT) will be accepted through 13 March 2009 at www.itgi.org.

While COBIT (Control Objectives for Information and related Technology) sets good practices for the means of risk management, Risk IT sets good practices for the ends, by providing a framework for enterprises to identify, govern and manage risk.

The Risk IT framework explains IT Risk and will enable users to:

  • Integrate the management of IT risk into the overall enterprise risk management of the organization
  • Make well-informed decisions about the extent of the risk, the risk appetite and the risk tolerance of the enterprise
  • Understand how to respond to risk
  • The Risk IT framework addresses many issues enterprises face today and provides:
  • An accurate view of the current and near-future IT-related risks throughout the extended enterprise and the success with which the enterprise is addressing the risks
  • End-to-end guidance on how to manage IT-related risks, beyond both purely technical control measures and security
  • An understanding of how to capitalize on an investment made in an IT internal control system already in place to manage IT-related risk
  • When assessing and managing IT risk, integration with the overall risk and compliance structures within the enterprise
  • A common framework/language to help manage the relationship amongst executive decision makers (board/senior management), the chief information officer (CIO) and enterprise risk management, or between auditors and management
  • Promotion of risk responsibility and its acceptance throughout the enterprise
A complete risk profile to better understand risk, so as to better utilize company resources
Risk IT is designed for:
  • Top executives and boards of directors who need to set direction and monitor risk at the enterprise level
  • Managers of IT and business departments who need to define risk management processes
  • Risk management professionals who need specific IT risk guidance
  • External stakeholders
The framework has nine business processes divided into three domains: Risk Governance, Risk Evaluation and Risk Response. It also offers management guidelines, RACI (Responsible, Accountable, Consulted and Informed) charts, maturity models and goals and metrics.

As the Risk IT initiative evolves, it will include practitioner guidance, case studies and supporting materials. Additional information is available at www.itgi.org/riskit.
The IT Governance Institute (ITGI) (www.itgi.org) is a nonprofit, independent research entity that provides guidance for the global business community on issues related to the governance of IT assets. ITGI was established by the nonprofit membership association ISACA in 1998 to help executives and IT professionals ensure that IT delivers value and its risks are mitigated through alignment with enterprise objectives, IT resources are properly managed, and IT performance is measured. ITGI developed COBIT and Val IT, and offers original research and case studies to help enterprise leaders and boards of directors fulfill their IT governance responsibilities and help IT professionals deliver value-adding services.

Darshna Kamani, Eskenzi PR

Brocade enhances data management at Van Lanschot Bank

Brocade® , has announced that F. van Lanschot Bankiers N.V, the oldest independent bank in The Netherlands, has deployed four Brocade 48000 Directors as part of an organisation-wide data management strategy that aims to simplify storage management and accommodate the bank’s growing storage demands, driven by next generation services such as Internet banking. Delivered through EMC and Comparex, the Brocade 48000 Directors will optimize Van Lanschot’s current storage infrastructure, and help the organization deliver competitive advantage to its users.

As the oldest independent bank in The Netherlands (founded 270 years ago), Van Lanschot’s sense of duty to its customers is beyond doubt. Today, its services mainly focus on high net-worth individuals and entrepreneurs. The key driver behind Van Lanschot’s engagement with Brocade was to enable the highest quality data storage. As part of an overall architecture which encompassed EMC Symmetrix DMX-4s, EMC Disk Libraries and EMC Celerra gateways, Access Gateways in its bladed server environments, the bank’s selection of Brocade’s 48000 Directors for the heart of its data centre helps consolidate its existing storage footprint (from 24 switches to four Brocade 48000 Directors) and in turn simplifies overall SAN management.

The Brocade 48000 Director is proven technology that will not only serve Van Lanschot’s immediate needs, but also those of the future, Van Lanschot is confident that it will be able to reap the benefits in a short timeframe.

"Exploiting the corporate information assets is essential in any industry, but is particularly important in the financial services sector”, commented Claus Egge, Program Director at IDC's Storage Group. “By leveraging the potential of next-generation storage solutions [virtualisation, consolidation, data protection], banks are able to simplify storage management which in turn enables smarter provisioning of information to their internal and external customers."

In just three months, Van Lanschot was able to fully migrate the Brocade 48000 Directors into its existing storage architecture with no problems. In the future, the bank aims to expand its data management strategy with VMWare functionality and in-flight migration techniques that will equip it to meet the needs of its evolving customer base.

The Brocade 48000 Director is the industry’s leading director-class platform for enterprise SANs, delivering powerful 8Gb and 4Gb connectivity, advanced hardware and software capabilities, and “five-nines” reliability. The Brocade 48000’s modular design and high port density provides a flexible and scalable solution for large open systems and System z environments in round-the-clock data centres. Organisations can utilise it as a standalone director, at the core of a multi-switch SAN, or at the edge of a Brocade Data Centre Fabric (DCF) architecture.

Van Lanschot NV is the holding company of F. van Lanschot Bankiers NV, the oldest independent bank in the Netherlands with a history dating back to 1737. Van Lanschot focuses on three target groups: high net-worth individuals, medium-sized businesses (including family businesses) and institutional investors. Van Lanschot stands for high-quality services founded on integrated advice, personal service and customised solutions. Van Lanschot NV is listed on the Euronext Amsterdam Stock Market.

Brocade® develops extraordinary networking solutions that enable today’s complex, data-intensive businesses to optimise information connectivity and maximise the business value of their data. For more information, visit www.brocade.com

Source: Spreckley Partners Limited

Cyber warfare – how secure are your communications?

by Mike Simms, Vice President, EADS Defence & Security Systems

Almost every week the media reports on negligent loss of data, much of it highly sensitive. Perhaps with so many people using so much data in so many different places we should not be so surprised.

Today more and more organisations – emergency services, government departments and financial institutions – hold information nationally and access it nationally, and, in some cases, offshore it.

There is relatively little offshoring of information by government. But corporate organisations, credit helpdesks and so on hold their customer relations management overseas.

They share information over the web with a vast number of IT systems and databases. It is almost impossible for anyone to know on what scale this information is accessible.

The aggregation of information, in itself, escalates the level of sensitivity. So there is greater risk of abuse or corruption, either intended or accidental, as in the loss of the child benefit database last year.

Unfortunately, shared technology increases risk, and criminals and vandals are using this same technology to remotely attack data systems. These attacks can be very successful, and by their nature make the deterrent of legal action more difficult.

We are faced with different threat levels to network-based information systems. These range from the careless user who leaves a disc on a train to foreign intelligence services who engage in cyber warfare against perceived enemies.

An example of the latter centres on the Russian incursion into Georgia in response, they said, to Georgia’s attack on the breakaway republic of South Ossetia. In the weeks leading up to this, Russia had disabled the Georgian president’s website with a massive spam attack – what is known in the trade as a ‘denial of service attack.’

So in the quest to satisfy the network-enabled world’s increasing demand for effective data protection, the first step is an accurate assessment of risk.

At the lowest level, but the most common source of threat, are the millions of users themselves. They might lose a data stick, leave a laptop on public transport, or write their password on a Post-it note and stick it on their computer screen!

Next up are the service providers. With outsourcing on the rise you need to be confident your service providers conduct rigorous processes in how they look after their networks and information.

Higher still are the amateur hackers, of which there are many, although they are opportunistic and immediately they hit a firewall will probably move on.

At the pinnacle of threat are sophisticated hackers who are often linked to criminal gangs, and foreign intelligence services. These may be relatively few in number – but they have a lot of resources behind them, and therefore need correspondingly greater efforts to fight them.

Assessing the appropriate level of response for each of these threats is therefore the starting point to resolving the problem. There is no point in overkill, locking down systems so tightly that it imposes on the system’s usability if the information it contains is fairly innocuous.

When it comes to protecting our data many of us, it seems, are still stuck in the Dark Ages. People think IT protection is just about the computer. It is not the computer but the system it is running on that is most vulnerable. We now need to concentrate on how to secure information as it is being transported across networks.

Putting all the necessary protection into computers would be expensive, so making sure that computers can operate on secure and trusted networks is important because of the way we work today, using laptops, working away from the office, all done over public networks.

In Britain, sophisticated information assurance services are being developed which span cryptography, computer network defence, intruder detection and business continuity.

Computer network defence is the front line of cyber warfare. For some clients such as government, banks and financial institutions this means real time 24/7 activities manned by people in special trusted locations, and constant updating of threats.

It is vital to know what level of protection you need. But however good your information assurance is, if someone else has not taken adequate steps they are the weak link and your data is vulnerable because of them. In this network-enabled world we all depend on each other as never before.

EADS is exhibiting at Infosecurity Europe 2009, the No.1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy: Infosecurity PR

phion in use at Herba Chemosan - Using the pharmacists’ portal to submit orders securely and easily

Herba Chemosan Apotheker-AG is the leading pharmacist wholesaler and service provider in Austria with a market share of 48 percent. Pharmacists throughout the whole country buy their medicines directly from Herba Chemosan via an Internet portal. The respective web applications are protected by airlock, which ensures both the best possible security and availability.

Herba Chemosan is Austria’s industry leader in pharmaceutical distribution. Almost every second medicine or health product sold over the counter in an Austrian pharmacist originates from one of the seven national Herba Chemosan logistics centres. This tightly-woven logistics network ensures fast operational and simplified work processes and as such also improved quality controls as well as higher delivery capabilities. The warehouse range comprises a total of over 42,000 different articles. The Herba Chemosan drivers make deliveries to over 1,000 pharmacists, doctors and hospitals every day; the deliveries are made within two hours after order receipt.

The telephone is replaced by the Internet

Ordering from Herba Chemosan used to be a fairly complex and expensive affair, because orders were submitted either by telephone or modem. Pharmacists were given access to 36 telephone lines with a free of charge number. This solution, developed originally by Herba Chemosan, was ideal for many years. However, in the meanwhile the technology has become obsolete and no longer meets the high expectations placed on a service company.
Herba Chemosan therefore took the strategic business decision to completely modernise their entire order processing systems and convert to an Internet-based solution.

The objective was to provide the customers with a service portal that met the individual pharmacist’s requirements and offered true added value. The portal should, on the one hand, work as a direct link to the Herba Chemosan merchandising system and on the other hand, also serve as an information hub.

Web applications need special protection

A web portal of these dimensions requires comprehensive protection, because otherwise it can become an easy target for attackers. This threat was identified at Herba Chemosan and the company gave careful consideration to the new system’s security. “It was clear for us that access to the web portal would have to have its own security to ensure that system access was really only given to authorised users”, explains Josef Pernecky, Network and Security Administrator at Herba Chemosan. “So we decided to give the web applications the best possible protection with prior security functions in a Web Application Firewall (WAF).”
Subsequent to careful evaluation of a suitable WAF solution Herba Chemosan decided in favour of airlock. Determining factors in the decision making process were the simple manageability, the expert consultation and of course the improvements in security at the application level.
“During the conversion to the new online system Herba Point – the service portal
it was really important for us to have support from a competent partner with a high degree of expertise and experience in the security field. A further important factor was the straightforward integration of airlock into our VMware environment”, adds Josef Pernecky. “And apart from this, we were really impressed by the personal commitment and the professional approach of the phion employees on site.”

Web Application Firewall (WAF) keeps unauthorised visitors out

The entire implementation ran smoothly and according to plan. The new web portal went into productive operation subsequent to a short test phase. Since then, the web applications protected by airlock at Herba Chemosan are monitored around the clock.
All access requests are systematically monitored and filtered at all levels. Initially the identity and authenticity of the individual user is tested, only authorised connections by successfully authenticated users are then approved. Each request must run through a multilevel filer that automatically identifies and blocks any unauthorised access or manipulation attempts in a fraction of seconds.
Aside from this strong security network with the different filer levels airlock also ensures optimum availability with cluster operation, application-level load distribution with failover as well as hardware accelerated SSL termination.
As a preceding Web Application Firewall, airlock relieves your application servers from security related tasks too. A further benefit is that the infrastructure can be optimised, because the operating system neither has to be configured nor administered and a modification or integration of client or applications software is not required. Overall Herba Chemosan now has the most up-to-date and effective mechanisms at hand to guard the new pharmacists’ platform.
Since the launch of the web portal the old modem ordering system has been gradually replaced. The objective is to have completed the conversion by the end of 2008. “Until now our experience with the portal has been very good and the feedback from the pharmacists is extraordinarily positive”, says Josef Pernecky, taking stock. “It just takes a maximum of one or two seconds to place an order with the new solution, compared to minutes previously – not an insignificant factor with over 10,000 orders per day. And thanks to airlock we are now able to protect our portal optimally against unauthorised access.”

phion UK Limited is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy: Infosecurity PR

phion in use at Basel’s central computing centre: Web Applications Enjoy Special Protection

The central computing centre for Basel, the “ZID” – provides important services for all of the canton’s offices and departments. The primary focus here is upon maintaining centralised databases and cross-section applications, running the central computing administration as well as upholding and managing the canton’s communications network. Besides this the ZID also provides its customers with diverse web-based applications for daily work. With such high security and availability requirements the ZID uses airlock to protect its web applications

The ZID has, as an across-the -board service provider, diverse responsibilities and tasks: For example they run the canton-wide data network for Basel (DANEBS), the canton, the town and two municipalities, a telephone combine, in which the university is also financially involved, mail systems and web services and even a security skills centre. ZID mainly offers its services to over 100 offices in the seven departments as well as diverse administrative institutions. The 280 buildings are all networked with approximately 8 000 end devices, the number of supported telephones add up to over 10 000 – with the exception of hospitals. The ZID, which also includes the fiscal authorities, has a total of some 100 employees. Decisive success factors for the ZID are not only the high deliverability, but also the high reliability and above-average quality. Because no compromises of any kind can be entered into when it comes to IT security.

Security for e-Government

DANEBS, the data communications infrastructure for the administration, is based on fibre optic cables and TCP/IP-technology. The network is protected by firewalls. The network operation, along with the respective firewall infrastructure and the security zones all form the basic network services together with the mail backbone and the network-related directory services which are run by the Infrastructure department and managed by Hans-Peter Beiger. A special architecture model was defined or the e-Government applications in 2002. In order to meet the required security standards, the ZID planned not only to use firewalls in the outermost periphery, but also reverse proxy. The proxy server preceding the web servers process all incoming connections from the Internet and respond to the corresponding requests either completely autonomously or forward them on to the next level web servers.

airlock replaces Open Source

“The existing firewall infrastructure was pretty out of date, so we had to completely revise and restructure it as part of the e-Government project”, explains Hans-Peter Bieger. “Once we had developed extensive specifications, we found the partner to realise this project, by means of an invitation to tender, at Siemens AG. When it came to the issue of Reverse-Proxy our technology partner recommended airlock as the ideal solution for us.” Following thorough reviews of the various different tenders, ZID opted initially for an open source package – mainly for financial reasons “After about one year, it was apparent that we could not run the Open-Source solution as we had envisaged and that important functions were just not available”, recalls Hans-Peter Bieger. This was when the decision fell in favour of airlock.

However, the cost factor still represented a certain hurdle, so ZID and phion agreed upon an innovative rental model which cost roughly the same as an Open-Source solution.

A major role in many sub-projects

Replacing the Open Source solution with airlock was a smooth and unproblematic procedure. A good year later a major new project was started in which airlock once again assumed a very central role. The fist sub-project “Intranet for Extranet” involved setting up an authentication platform for extranet networks that corresponded to the canton administration’s strict Security Policies. Administration related organisations – such as for example hospitals or the BVB – were thus granted access to the administration’s intranet. The objective of the second sub-project was the introduction of remote access for the administration. Now users can access diverse applications quite simply via the official and publically accessible homepage using their personal login and protected by airlock. Both subprojects were realised by the phion partner ISPIN.

“The next two subprojects are currently both in the deployment or planning phase. One of these involves broadening access to the intranet to include additional user groups outside of the administrative network. The other plans to implement alternative authentication procedures, which we are examining at present.” The applications protected by airlock at the ZID have been monitored continually since their introduction. In order to be authorised users must be successfully authenticated via authorised connections. Multilevel filers automatically identify and block unauthorised access or manipulation attempts. Or in other words: With airlock the canton administration for Basel has the most advanced and most effective mechanisms for guaranteeing the security and availability of their web applications.

Phion UK Limited is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy: Infosecurity PR

Fortify Software Lands in Leaders Quadrant of Magic Quadrant for Static Application Security Testing

London 12 February 2009 - Fortify Software, the market leader in Software Security Assurance solutions, announced today that is has been positioned in the Leaders Quadrant of Gartner, Inc.’s “Magic Quadrant for Static Application Security Testing (SAST)” written by analysts Joseph Feiman and Neil MacDonald. Published February 6, 2009, the report is the first application security-centric Magic Quadrant to be released by Gartner.

The report is available here: http://www.fortify.com/magicquadrant/

"Over the last few years we have seen significant growth in the software security industry. In my opinion, that this is the first year for Gartner to publish a Magic Quadrant around these technologies says a great deal about how businesses are increasingly turning to proactive, preventative analysis solutions to protect their software and applications,” said John M. Jack, president and CEO of Fortify Software. “We believe our placement in the Leaders quadrant reflects our track record for innovating forward thinking technologies and our vision for the future of the market.”

Gartner, Inc.'s Magic Quadrant positions vendors in a particular market segment based on their vision and ability to execute. "Leaders" are performing well today, have a clear vision of market direction and are actively building competencies to sustain their leadership position in the market."

According the report, “SAST for security vulnerabilities should be a mandatory requirement for all IT organizations that develop or procure applications. Although the market is relatively new and consolidating, enterprises must adopt SAST technologies and processes because the need is strategic.”

Fortify has continued to grow its market leadership through the innovation of software security solutions that enable enterprises to reduce the business risk associated insecure software. Building on its successful independent technologies for static, dynamic and real-time analysis, Fortify announced its new flagship product, Fortify 360, in March 2008. While not included in the review for the 2008 SAST Magic Quadrant, Fortify 360 extends the companies track record for innovation by integrating the three levels of analysis and providing a dashboard for prioritized, collaborative remediation as well as a robust governance and reporting structure.

“With proven customer deployments at the largest worldwide enterprises, an effective global services team and an integrated product solution, Fortify continues to provide the technical and process-level expertise needed to implement an effective enterprise Software Security Assurance program," noted Jack.

The Gartner Magic Quadrant is copyrighted February 2009 by Gartner, Inc., and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the “Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Fortify®’s Software Security Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite—Fortify 360—drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com.

Yvonne Eskenzi
Eskenzi PR

Credant says Adobe/Forrester report & SchmooCon findings show companies remain concerned over latest Web 2.0 security

12 February 2009 - A report released today by Forrester Research, and commissioned by Adobe, has highlighted the fact that knowledge workers working in companies remain more than a little worried about the security of Web 2.0-based collaborative working systems.

"The Forrester research confirms the findings of research announced at the SchmooCon 2009 conference in Washington this week, which found that security on social networking sites is significantly wanting, despite the take-up of the technology by Internet users," said Michael Callahan, Credant's senior vice president.

"This conclusion, from researchers Nathan Hamiel and Shawn Moyer, has been confirmed by a Forrester report into knowledge worker collaboration, which found that the take-up of Web 2.0 services within companies is a lot lower than many people think," he added.

According to Callahan, the Forrester report reveals that only 15 per cent of European knowledge workers make use of Instant Messaging and just 13 per cent use Web conferencing.

Delving into the figures, he says, reveals that whilst 47 per cent of respondents are confident about the security of sharing e-data within their organisations, only 21 per cent are confident when sharing e-data outside of their company.

"These figures, extracted from 3,000 survey respondents, clearly show that company staff remain concerned about the security of Web 2.0 technologies and allied forms of sharing data with colleagues outside of their organisation," said Callahan.

According to Credant's senior vice president, this analysis is confirmed when you look at Hamiel and Moyer's research, revealed at the ScmooCon 2009 conference in Washington earlier this week.

Moyer, he says, summed up the situation when he described social networking sites as "a perfect storm of social engineering and bad programming," and adding that Web 2.0 technology is now a launch pad for attacks against Internet users.

"More than anything, these two transatlantic research reports confirm our observations within Credant that companies are very wary of Web 2.0 technologies and the security loopholes they create," he said.

"The good news is that there are security solutions out there that can solve most, if not all, of the loopholes that these new technology platforms create. Central to this, we believe, is the use of powerful encryption. Once companies start to use these technologies, they will be able to effectively reap the benefit of Web 2.0 systems," he added.

For more on the SchmooCon research findings: http://tinyurl.com/d8q5ez

For more on the Adobe/Forrester research:


Source: Eskenzi PR



Brocade® unveiled on 14th January 2009 commissioned research suggesting that data center security is still not considered a top priority, despite half of the respondents experiencing attacks this year. Of these companies that suffered security breaches, 70 percent stated that the lost data was not encrypted, though 82 percent of these respondents noted that encryption technologies could have mitigated their risk. According to the UK Information Commissioner’s office, 277 major corporate security breaches have been reported this year alone*.

The research was based on a poll of 4,500 senior European IT decision-makers in the UK, France and Germany during late 2008. The research results reveal that perhaps up to a third of these organizations are simply ignoring security of their most mission critical part of their businesses – the data center. And in many instances, companies with IT security policies in place for their data centers are not properly utilizing them unless mandated by senior management or to comply with regulatory requirements.

“The amount of sensitive information continues to grow precipitously, so organizations need a broader deployment of encryption technologies across data centers in order to protect data confidentiality and privacy,” said Jon Oltsik, senior analyst, at Enterprise Strategy Group. “Specific to storage, these security and privacy demands require an architectural approach for enterprise-wide encryption of data-at-rest while enabling end-to-end management for the secure flow of data across multiple fabrics.”

Brocade recently announced the availability of encryption and management solutions that can be implemented without disruption into the storage fabric and applied to specified data flows. The Brocade security solutions preserve existing and new storage investments by supporting a heterogeneous mix of networked storage systems and support for virtual tape libraries and tape drives.

“The most mission critical corporate data resides within the data center and should require a robust, non-disruptive, fabric-based data security strategy to avoid damaging breaches,” said Mike Murphy, Director of Marketing – EMEA, at Brocade. “While over three quarters of businesses agree that a data loss would be catastrophic, this survey illustrates that not enough is being done to protect critical assets.”

For more information about data center security, visit http://www.brocade.com/products-solutions/solutions/security/index.page.

The Brocade survey was carried out among senior IT decision makers in late 2008.

Brocade® develops the highest-performance, most cost-effective, and most reliable networking solutions that enable today’s complex, data-intensive businesses to optimize information connectivity and maximize the business value of their data. For more information, visit www.brocade.com.

Source: Spreckley Partners

I.T.’s Dirty little secret – Privileged Passwords

By Mark Fullbrook, UK and Ireland Director, Cyber-Ark

You have a gaping hole in your security. Actually, let me rephrase that. MOST of you have a gaping hole in your security. It’s really big. It’s huge. It’s the kind of hole that when you think about it, it keeps you awake at night, worrying about how little you can do if someone actually takes advantage of it. It’s the kind of hole that most people would rather not think about, so they push it to the back of their mind. They don’t talk about it. Its I.T’s dirty little secret.

What is this huge security risk? It’s the potential abuse of Privileged Accounts and in the current financial environment, with companies either downsizing I.T staff or asking them to accept pay cuts, it’s more of a risk than ever.

Privileged Accounts are those accounts that many I.T staff use to carry out their day to day tasks. They allow those users to carry out ANY task on the system they are working on, whether it’s a desktop, server, database, application or appliance. So what’s the problem? Where’s the risk? The risk is that these accounts are, in the vast majority of cases, completely generic. All of the staff uses the same login name and password for each system; in some companies they may use the same login and password for many systems. This means there is no way of establishing who did what or when. What’s worse is that as there are so many of these accounts, many companies no longer bother to change the passwords with any kind of regularity. People change roles, yet still know the passwords to systems that they should no longer have access to. So now you have not only a list of authorised users who could be responsible for a data breach, but also a list of everyone who ever had access to that system (or at least had access to the system since the password was last changed)
But surely this only becomes an issue if you have untrustworthy staff? That’s not an issue for your company! You can look around your team and know that each and every one of them would never consider abusing the trust that is placed with them! How about your developers? How about your third party support staff? How about staff in other teams or the guy who left last year to go to one of your competitors?
The potential of insider threat is the number one risk within today’s Enterprise, and within any Enterprise the most technically aware staff are the I.T staff themselves. Knowing this, most companies still spend more on stopping John in sales or Caroline in accounts from accessing Facebook or an instant messaging application than they do on preventing the misuse of these highly sensitive privileged accounts.

The statistics speak for themselves. Verizon recently stated that 57% of breaches they surveyed over a four year period were committed by either an internal user or a business partner who had access to systems. They further stated that in the case of insider abuse over 50% of the breaches involved I.T Staff.

At Cyber-ark, we conduct a survey amongst the IT community on an annual basis that includes a very simple question.

“Have you ever used a privileged password to access information that was NOT relevant to your role?”

On average 33% of people who respond say they have. When asked if they would consider taking a form of sensitive data from their present employer if they ever left, over 85% said they would.

When I hear of companies that have not outlined a solution or strategy to deal with Privileged Accounts I liken it to building a prison with a huge tunnel to the outside. You can spend whatever you want on guards, fences, camera’s and locks, but if you don’t guard the tunnel, you may as well not bother.

Implementing a solution to safeguard against this type of threat is the only way forward and whether you decide to invest in a manual process or an automated vendor based product, you should ensure that it meets these three criteria:

1. Ensure your solution provides a safe and reliable place to store passwords.

Wherever you decide to store these highly sensitive passwords, you need to ensure it’s safe and secure. You need to make sure that only those that should have access to a particular password have access to it. Consider the administrators of the location. Can they see the data that resides within it? What would happen if you lost the system? Would that mean you lost the passwords? Ensure you have a fully redundant system that allows for any kind of failure.

2. Ensure you have the means to change passwords as regularly as possible. Use a one-time password if possible.

You can have the most secure location in the world for your privileged passwords but it will be completely undermined if you don’t change the passwords to systems as frequently as possible. Most quality automated products will allow you to change the password on a destination system every time a user requests the current password; some are even allowing users to connect to the destination system via their own GUI, without ever seeing the password. This allows you to change passwords less frequently.

3. Make is as easy as it can be for your users to go about their daily tasks.

Any security process you implement shouldn’t make your users lives more difficult. Although processes need to be secure, any solution should try to minimise impact.
By following this advice, you can be sure that when your head next hits your pillow you can sleep soundly. That gaping hole will have been filled and I.T’s dirty little secret will be keeping someone else awake instead.

Cyber-Ark is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy: Infosecurity PR

Security – the human factor

Protecting a business is as much to do with ‘human factors’ as it is with the IT department, argues Paul Kearney, Head of Enterprise Risk Research at BT Group.

Much can be learned from history. Take, for example, the Trojan Horse – a contraption that was received as a gift during the siege of Troy but actually contained enemy soldiers. The trick worked for the invaders because the defenders let their greed and curiosity overcome their caution.

And then there was Archimedes – the man employed 200 years BC to produce a machine that could defeat the Romans by smashing their siege ladders as they placed them against the huge city walls of Syracuse. The solution worked for a while until the citizens became over confident and dropped their guard.

In both cases, it wasn’t the failure of the defences that led to defeat but the gullibility, naivety and complacency of the people who trusted them.

Winding on 2000 years or so, machines still challenge the vulnerabilities of organisations and it’s somehow appropriate that ‘Trojan’ has become the term used to describe one of today’s most feared types of computer malware.

Other threats include ‘phishing’ (where an e-mail message appears to be from a well-known and trusted organisation but isn’t), hacking, electronic fraud, electronic burglary using tiny USB devices, and the physical loss or theft of computer hardware – particularly laptops.

But regardless of the methods used, the real threat isn’t technology, but the human beings that mastermind the attack.

No organisation is immune from their attentions – in fact, the bigger the organisation, the more likely it is to attract criminals and pranksters driven by the buzz of seeing the results of their handiwork in media headlines.

Massive impact
The consequences of cyber attacks are significant, of course. Security breaches can have a massive impact on an organisation’s bottom line. The authoritative Information Security Breaches Survey says the worst incidents currently cost large businesses (with between 250 and 499 employees) between £90,000 and £170,000 and very large businesses (employing 500 or more) between £1 million and £2 million [i].

And cases of security breaches are legion. CDs containing personal data on about seven million families were lost in transit from Her Majesty’s Revenue and Customs (HMRC) and another government department [ii], and the Driver and Vehicle Licensing Agency mislaid a vast quantity of driving and vehicle licence details [iii]. A laptop containing sensitive defence data was stolen from the boot of a car in London [iv] and millions of customers in Britain and America were claimed to be at risk after credit and debit card records were stolen from retailer TJX’s computer systems [v]. A former informant of the US secret service has been accused of the latter crime, thought to be America’s biggest and most complex case of identity theft [vi].

The list goes on and there’s a constant battle between security professionals and cyber-criminals – organised or merely opportunist – who can find an outlet for data.
Security professionals, however, are often technologists, so their instinct is to look to technical solutions. Unfortunately, if they aren’t designed well, people will make mistakes in using them or just give up on them entirely. And if they aren’t efficient, they can end up hindering the progress of the tasks they are supposed to protect.

There are even security specialists who believe that IT users are merely a nuisance and regard their colleagues as ‘vulnerabilities’ against which their systems must be protected using rigid rules and procedures. This ‘command and control’ mentality can result in unnecessary restrictions on employees going about their work with the perverse effect of reducing security as staff try to find ways around the blocks in their path.

Human characteristics can create weaknesses and loopholes criminals can exploit. Consider people’s natural desire to be helpful, for instance. If an outsider claims to be a colleague wanting help with something, individuals are inclined to help, opening the doors of their fortress as a result. They are just too trusting – unaware of the tricks that people can, and will, get up to. And even security professionals can easily fall into that trap.

Typically somebody rings a helpdesk to say that they are working away and really need to prepare something for an important meeting but have forgotten their password. Impassioned pleas like this can all too often result in passwords being given away.

Con trick
Such tactics are known as ‘social engineering’ but they are merely a new take on an old-fashioned con trick.

Another example on a more physical security level involves people putting on overalls and carrying a clipboard to blag themselves into buildings. Employees just assume they are members of the maintenance team – people who know what they’re doing. And if you look the part, you can get access to all sorts of things…

Some companies employ people who do such things on a ‘white hat’ basis – white hat being an analogy to the old cowboy films where the villain wears a black hat while the sheriff wears a white one. So a ‘white hat hacker’ is somebody who has the skills of a hacker but who is employed to identify vulnerabilities – a typical poacher turned gamekeeper.

We should be designing systems that make best use of the complementary characteristics of people and technology to strengthen security. Computers don’t get tired, and can prevent people making mistakes. But they only do what they are programmed to do, and that may not be enough. Humans tire more readily, exposing themselves to attack. But if they think something odd is going on that they don’t understand, they can use their common sense and report it.

However, there is a potential conflict of interest between productivity and security – if you’re in a rush and working to a deadline you might be tempted to circumvent security measures. Indeed, management can make this worse through productivity and sales incentives.

Organisations need to motivate and educate their employees so that they see security as part of their job and to understand why they are being asked to adopt certain behaviours rather than just being able to ‘tick the box’.

People – asset or vulnerability?
This approach is endorsed in the latest information security breaches survey carried out by PricewaterhouseCoopers for the UK’s Department for Business Enterprise and Regulatory Reform (BERR) [i].

Their report states: “Companies increasingly realise that their people, while their greatest asset, can be their greatest vulnerability and so need to be educated on security risks.”

The survey discovered that more than half of the UK companies screened had not carried out a formal security risk assessment and that 67 per cent did nothing to prevent confidential data leaving their premises on devices such as USB sticks.
Broader research by the European Network Information Security Agency (ENISA) has warned that increased cyber-criminal activity is threatening the economic interests of the EU. The agency has called upon industry to collaborate to make the Internet a safer place to do business globally.

Given that people within an organisation can be the weakest link in terms of security, what can be done?
Education is a good start but so is a new approach within IT departments to make software much easier to use securely and a better understanding of human factors rather than total reliance on technology.

There are plenty of academics who specialise in human factors and human computer interactions and some companies have specialist labs that test systems for usability characteristics. But they are mainly aimed at functional features – making things easier to use – rather than the usability of security.

International standards such as ISO 27001 play a part too and lay down technical controls covering such things as usernames and passwords. But only one out of 133 controls covers human issues. In any event, 79 per cent of companies contacted for the BERR survey were unaware of the standard.

Best practice
Standards apart, there’s a need to achieve best practice in terms of user interface design and human factors to maximise security. Enterprises must take responsibility for these issues – it is in their own interests to share knowledge and work together to improve things.

Another positive move would be to embrace the mandatory incident reporting procedures that are commonplace in the aviation industry. Because these highlight not just actual accidents but near-misses, they provide a more accurate view of the situation – one that provides a sounder basis for future security decisions. California, for example, has made it mandatory for companies to report losses of personal information.

Unless action is taken on the human factors of security, the public’s confidence in e-commerce and anything else beginning with ‘e’ will be lost. If something isn’t done quickly, it could be a case of closing the stable door after the Trojan Horse has bolted.

BT is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk


  • Human factors – human nature
  • Here are five ways that organisations should consider to reduce the human ‘vulnerabilities’ identified by the BERR report [i]:
  • Create incentives to encourage secure behaviour in the same way as you do to boost productivity.
  • Educate the workforce and enlist their support – they are part of the solution not part of the problem.
  • Make the security features of software more useable.
  • Beware of the ‘man in overalls’ or suspect him. Don’t just hold the door open for someone – check they have a pass.
  • Share knowledge to improve things collectively. Information on security breaches can be shared anonymously if required.

Courtesy: Infosecurity PR

Social Networking World Forum

9th and 10th March 09 - Olympia Conference Centre, London

The Social Networking World Forum
is the perfect event for professionals to learn and discuss the future development of social media.

Social media today is being more and more important for all manner of people and businesses, including and especially, it would appear, NGOs and charitable organization of another nature.

The various kinds of social media applications, whether Facebook, Twitter, or others, and the growth of those, is something that is also an extremely useful (and this is definitely and understatement) tool for causes of a variety of different kinds, from green issues to other more direct community issues.

This was shown the was Facebook has been used for this and we have recently seen the tenth anniversary of this application that was originally designed for just on-campus use, on the Intranet, of a university in the USA. We have really come a long way since.

According to a research by Juniper, revenues from social networking, dating and personal content delivery services will increase from $572m in 2007 to more than $5.7bn in 2012, with social networking accounting for 50% of the total by the end of the forecast period.

Communicating via social networks is becoming a way of life for many of us, whether we are using them to chat to our friends, progress our careers or to discuss our hobbies, it is clear that social networking is challenging face-to-face is communication.

Virtual communities for business allow individuals to be accessible. Networks improve the ability for people to advance professionally, by finding, connecting and networking with others. Social networks present an enormous opportunity. For firms with little money to spend, the web sites can be a cheap, efficient marketing tool.

Todays climate of online interactivity offers businesses an opportunity to supplement traditional, above the line marketing methods with tactical, targeted messaging aimed at influencing customer buying decisions.

By tapping into a culture of advice, relating good and bad experiences and relaying the latest news, brands can take advantage of the huge numbers of people using these sites. This promotes their product, and keeps readers informed of developments, launches and special promotions.

Users of social network sites won't shy away from letting people know about their positive buying experiences, and with the sheer number of people in the community, 'word of mouse' promotion has never had such reach.

Brands willing to dip their toe in, have found success by playing on specific themes which tap into popular culture. If executed well, brand positioning on social networking can reap similar rewards and help SMEs to achieve sales growth, increased brand awareness and most importantly, endorsement amongst their target audience.

However, there are warnings to heed. If too little respect is paid to the conventions of the community, where quality content is essential for success, then the users of social networking sites can just as easily deliver a knockout blow to a business as they can champion it.

The two day conference and exhibition will provide a focused platform for the global social media industry. The conference aims to address core issues such as monetization, future technologies/services, engaging social groups with brands and how businesses can get the most out of social and business networks.

Speakers at the conference include:

  • Anthony Lukom Managing Director, MySpace UK
  • Kate Burns, Managing Director & Vice President, Europe for Bebo & People Networks
  • Gerrit Mueller, Senior Director of Mobile Products, Connected Life, Yahoo! Europe
  • Mark Watts-Jones, Head of Development and Innovation, Orange UK
  • Sean Kane, Head of Mobile, Bebo
  • Henry Clifford-Jones, Director of Media Sales Europe, Linkedin
  • Natalie Johnson, Manager Social Media Communications, General Motors
If you would like to attend the Social Networking World Forum call the booking line (+44) 0117 321 8303 or alternatively you can email mark@sixdegs.com.