Security Implications Of The Virtualised Datacentre

By Bill Beverley - Security Technology Manager, F5 Networks

The concepts behind application and operation system virtualisation are not new. The recent rate of virtualisation adoption however, especially that of software operating system virtualisation, has grown exponentially in the past few years. Virtual machines have finally come into their own, and are quickly moving into the enterprise data centre and becoming a universal tool for all people and groups within IT departments everywhere.

So what exactly is a virtual machine? VMware defines a virtualisation as “an abstraction layer that decouples the physical hardware from the operating system...”. Today, we commonly think of virtual machines within the scope of one hardware platform running multiple software operating systems. Most often this concept is implemented in the form of one operating system on one hardware box (the host platform) running multiple independent operating systems on virtual hardware platforms in tandem (the guests).

Platform virtualisation usually relies on full hardware segmentation: allowing individual guest platforms to use specific portions of the physical host hardware without conflicting or impacting the host platform, allowing the host and guest(s) to run in tandem without stepping on top of each other.

There are two primary types of platform virtualisation: transparent and host-aware. Transparent virtualisation is implemented so that the guest is not aware that it’s running in a virtualised state. The guest consumes resources as if it were natively running on the hardware platform, oblivious to the fact that it’s being managed by an additional component, called the VMM (Virtual Machine Monitor), or hypervisor. The more standard forms of virtualisation today, such as those by VMware, implement transparent hypervisor systems. These systems can be thought of as proxies: the hypervisor will transparently proxy all communication between the guest and the host hardware, hiding its existence from the guest so the guest believes it’s the only system running on that hardware.

Host-aware implementations differ in that the guest has some form of virtualised knowledge built into the kernel. There is some portion of the guest operating system kernel that knows about the existence of the hypervisor and communicates with it directly. Xen (pronounced ‘zen’), a popular virtualisation implementation for Linux, uses a host aware architecture, requiring special hypervisor command code actively running in both the host and all running virtualised guests.

One of the driving factors in virtualisation adoption is the open nature of hardware support for VMMs: Hardware platforms, which run and manage the primary host operating system, and the VMM are not specialized devices or appliances. This flexibility, the move of virtualisation software to everyday hardware, has allowed everyone direct and inexpensive access to run virtualised environments. Virtualisation allows a company to purchase one high end hardware device to run 20 virtual operating systems instead of purchasing 20 commoditized lower-end devices, one for each single operating platform.

Virtualised Threat Vectors
The benefits of virtualisation are obvious: more bang for your buck. But everything has a pro/con list, and virtualisation is no exception. The pro column is a large one, but the con list isn’t so obvious. What could be bad about running 20 servers for the price of one? Although by no means considered to be a large threat today, security of virtual machines and environments is typically not considered, not because the security of these implementations is a technological mystery, but because it is generally an unknown vector by the groups that are implementing wide-spread virtualisation. In other words, virtualisation is usually implemented with no specific regard to the new security risks it brings.

Virtualisation brings an entire new set of security issues, problems, and risks. Security administrators are familiar with phrases such as “hardened operating system,” “walled garden,” and “network segmentation” in the one-box-for-one-application world, but how do administrators apply these concepts to the uncharted waters of the virtual data centres? How can we protect ourselves in new environments we don’t understand? Today’s system and security administrators need to begin focusing on virtual security, preparing for a new threat arena for distributed and targeted attacks.

There are many, many security risks and considerations that virtual infrastructure administrators should be aware of and prepared for, many of which were not covered in this discussion. And there are many questions that still need to be addressed before moving to a fully virtualised environment, such as:

  • How will our current analysis, debugging, and forensics tools adapt themselves to virtualisation?
  • What new tools will security administrators be required to master between all of the virtualisation platforms?
  • How does patch management impact the virtual infrastructure for guests, hosts, and management subsystems?
  • Will new security tools, such as hardware virtualisation built into CPUs, help protect the hypervisor by moving it out of software?
  • How will known security best practices, such as no-exec stacks, make a difference when fully virtualised? Will hardware virtualisation pave the way to a truly secure VMM?
  • Virtualisation and shared storage: What happens if we virtualised all the way down to the iSCSI transport layer? Are we opening up a floodgate which bypasses built-in SAN security?
These are all questions that need to be addressed before the enterprise world moves full-on into virtualisation. More than anything, we should be thinking today about where virtualisation security will take us tomorrow. We all agree that virtualisation is for the better and it’s here to stay, but security administrators need to make sure they keep ahead of the threats and think about virtualised threat vectors before attackers have already coded for them.

F5 Networks is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Source: Infosecurity PR

Cloud-based security services: Will 2009 be the year this much hyped sector comes of age?

Pravin Mirchandani, CEO of network security specialists Syphan Technologies, argues that the emergence of new high-speed security technologies as we head into a recession is likely to be the catalyst for more widely available cloud-based security services.

The term Security-as-a Service was first coined by the marketing folks at McAfee in 2001 to describe their vision of an outsourced approach to the provisioning and management of the full range of anti-X technologies needed to maintain corporate security, via the Internet. From a technical and business perspective, the idea of being able to devolve the responsibility for keeping complex network infrastructures secure and threat–free, to third party specialists, had many attractions, particularly as IT security professionals were both thin on the ground and expensive heads to have on the payroll.

Given that this was also a time when the battle between security vendors and the hacker community was really getting into its stride, and new vulnerabilities were being discovered on a seemingly hourly basis, it is surprising that, eight years later, the industry is still struggling with the concept of cloud-based security. In fact, if anything, the fundamental drivers underpinning the argument for a SaaS approach have strengthened in the intervening years: in 2008 there were over 5000 new vulnerabilities identified in common applications, operating systems and networking components; new PCI regulations and government legislation means that enterprises now face serious consequences if they fail to maintain stringent security standards; and low cost, high-speed internet connectivity is virtually universal.

So the logical question is: why is cloud-based security not more widely adopted as mainstream policy? Clearly there is no one simple answer to this and no doubt resistance to some of the changes in thinking and internal processes needed to implement a SaaS strategy is a significant factor. However, as we face the prospect of a lengthy downturn in the global economy, companies are being forced to take a fresh look at their cost base, including the core IT infrastructure fundamental to their business operation. Constrained economic circumstances are traditionally the time when the advantages of outsourcing are more readily accepted by an organisation.

One very obvious reason for the slow uptake of SaaS is that there are few companies that actually offer the full security package that businesses require. Whilst this can be regarded as one of those circular “chicken-and-egg” arguments, there are some real and fundamental technology issues that have delayed the MSSP sector from seizing the opportunity and making the leap from remote network security management to delivering the full range of hosted security services online.

In particular, security vendors have failed to keep pace with the new multi-gigabyte network speeds needed to power bandwidth-hungry applications such as VoIP and multi-media streaming that many organisations have been quick to embrace, for which users demand consistent and reliable levels of performance.

One of the other big factors that has occurred in the last few years, and is also contributing to the delayed roll-out of SaaS, is the increased sophistication of the threats facing network infrastructures as the hacker community has found new ways to circumvent the latest security technology to deliver their malware payloads. The response by the security industry has been to try to adapt old technology to operate in a modern high-speed environment and to mitigate complex threats that it was never designed for, usually resulting in increased latency and unacceptable degradation of network performance. The latest multi-staged “low and slow” attacks are a specific case in point. Delivered over time in incremental parts, these attacks are virtually undetectable by existing IPS and firewall systems and require a totally new approach to intrusion detection and prevention.

Most of the big global network security vendors have announced products that include the option of 10G connectivity and make claims of high-speed throughput with multiple threat mitigation functionality. In theory they can provide the necessary protection but in practice these ASIC plus CPU based systems are restricted by the limits of their processing architectures and are unable to offer true 10G throughput performance, creating an overall bottleneck in the system and major problems for the users of VoIP and other real-time applications downstream.

As with the threat posed by multi-staged stealth attacks, resolving the issue of throughput performance requires more than just tinkering with existing technology, which in this case has effectively reached the limits of its capability. Syphan is one company that is tackling this problem head on through its innovative use of FPGA-based multi-dimensional parallel processing techniques. Using programmable silicon also means that the technology can be quickly upgraded in situ with new rule sets as and when new threats emerge, and by enabling full packet inspection against multiple rules in parallel, true 10G performance without latency is a practical reality.

With the emergence of these new technologies at a time of economic uncertainty, the roll out of scalable online security services has become a much more attractive proposition for MSSPs and their customers alike. Whilst not everyone welcomes the prospect of scaling back their internal operations, the option for businesses to eliminate their security management and infrastructure costs without compromising their security posture or risking impacting the day-to-day business operation is a likely to be a strong factor in making 2009 the year that the cloud-based security market, envisaged by McAfee, starts to take hold.

Syphan Technologies is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Source: Infosecurity PR

Time of Proactive Security is Beginning!

By Ari Takanen, CTO, Codenomicon

The easiest method of conducting a security compromise is to look for a vulnerability in widely used software and exploit that. The problem today is that vulnerabilities rarely become public. There is very little motivation to disclose security findings anymore. Unfortunately this also makes reactive tools such as intrusion detection systems, security scanners and vulnerability scanners useless. They are all based on public vulnerability knowledge, and today they just do not have the data to work on. More and more zero-day attacks emerge with no protection available. It is time to be proactive!

Fortunately a set of proactive security assessment tools has emerged to fill the gap. These tools can be divided in three categories: static code analysis tools, reverse-engineering tools, and fuzzers. But which of these tools are useful for your everyday security engineer trying to defend his or her enterprise network? Maybe to you, they all look like quality assurance tools rather than enterprise tools? Code auditing tools require access to source code to be useful. Reverse-engineering is powerful, but often illegal means of finding vulnerabilities. That leaves fuzzing as the only proactive means for protecting your system.

Recently, fuzzing tools have been adapted in standard penetration testing practices and certification processes. For example in SCADA (industrial automation) fuzzing has become a critical part of the security test. Such tests have also been adapted as the procurement criteria in telecoms. Also if you look at the recent marketing materials for Google Chrome ( you can see that major software companies have taken fuzzing as part of their quality assurance process.

Without knowing, you might already be using a product that has been fuzzed during its lifecycle. I definitely hope it has been. The only way to ensure that is to fuzz it yourself. This was the beginning of enterprise fuzzing market, and more and more end-user organizations are adapting and integrating fuzzing into their standard auditing, acceptance and procurement processes.

What is Fuzzing?

Fuzzing is nothing new. For years already, software testers, developers and auditors have used fuzzing in their proactive security assessments. It is used to easily find defects that can be triggered by malformed inputs via external interfaces, This means that fuzzing is able to cover the most exposed and critical attack surfaces in a system relatively well, and identify many common errors and potential vulnerabilities quickly and cost-effectively. There are no false positives with fuzz testing. A crash is a crash, you cannot argue against that.

Although today most widely used fuzzers are all commercial, much of the notoriety of fuzzers has arisen from the success of open source projects. The best-known fuzzing comes from testing Unix command-line tools with fuzzed parameters in 1989 by Miller et al. (see Their research indicated that 20-40% of all tested software failed (crashed) when random inputs were provided. Back then fuzzing was dumb but still powerful. During the last 10-15 years, fuzzing has gradually developed towards a full testing discipline with support from both the security research and traditional QA testing communities, although some people still suffer from misconceptions regarding its capabilities, effectiveness and practical implementation. Fuzzing today is extremely intelligent!

Fuzzing Value

Fuzzing is especially useful in analyzing proprietary and commercial systems, as it does not require any access to source code. The system under test can be viewed as a black-box, with one or more external interfaces available for injecting tests, but without any other information available on the internals of the tested system. A practical example of fuzzing would be to send malformed HTTP requests to a web server, or create malformed Word document files for viewing on a word processing application.

The purpose of fuzzing is to find flaws in software, and it does that extremely efficiently. In tests conducted by Codenomicon Labs ( the researchers found out that none of the available WLAN access points used by consumers could withstand any fuzzing. Elimination of such flaws with automated black-box tools reduces the cost of software in both R&D, as well as maintenance costs by the end-users of the communication products. Potentially in the world of tomorrow, you will not need any security devices, because the networks themselves will have been thoroughly tested, with fuzzing, to tolerate any surprises coming from the network.

Codenomicon is exhibiting at Infosecurity Europe 2009, Europe's number one dedicated Information security event. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products & services from over 300 exhibitors and 12,000 visitors from every segment of the industry. Held on the 28th - 30th April 2009 in Earls Court, London this is a must attend event for all professionals involved in Information Security.

Courtesy: Infosecurity PR

Vulnerability Management -Battling the Unknowns with Intelligence

by Chris Schwartzbauer, Vice president of development and customer operations, Shavlik Technologies, LLC.

Too many companies, today quite savvy about security and compliance requirements, continue to struggle to get to grips with the basics – understanding what is on their network, how it is configured, its purpose and what is running on it. Often the decision makers, the CIO, Security and Risk Managers, assume the basics are resolved because a significant investment has been made in sophisticated security strategy and technologies. They have not, however, recognised that it is the mundane processes, the policy and configuration management where the vulnerability gaps are left wide open. This leaves them working in the dark, unable to track and therefore effectively enforce IT security policy. Ongoing investments in security compliance for PCI, or to adopt ISO 27002 standards and others are also compromised as this weak link in security strategy persists.

You can’t secure what you don’t know about and unfortunately the unknowns are many:

  • Companies are often unaware of all of the servers live on their network
  • Laptops are offline when vulnerability scans occur/its agent software is not activated
  • Data governance is poor – easily copied and moved around the organisations by employees
  • Virtualisation has proliferated the number of machines that must be protected, while too many can create virtual machines
  • Unknown network connections & account privileges persist
  • Unknown applications – whether malicious or loaded inadvertently by employees, for the latter patches are never applied
  • Oversights in configuration settings
The resolution lies in addressing the problem from the ground up. Attention must be paid to equipping the administrator with the ability to discover and evaluate all of the systems on and connecting to the network. They need access to usable information to ensure they comprehend the entirety of the problem, can set priorities, and instil confidence by communicating progress. The vulnerability gaps, once discovered, will usually require the most basic of security controls – configuration according to current access policy or removal of unauthorised software. The complexity lies in finding the gaps so that they can be filled.

For their part security administrators tell us that they are recognising the need to develop a meaningful overview of their network assets, largely a response to the increasing pressure to report more on their security status from the executives newly motivated to demonstrate responsibility to customers and board members alike. They are challenged however, by the complexity of their heterogeneous networks, an overwhelming amount of log data that is too time consuming to interpret, and a reticence to automate where manual processes are no longer adequate. The latter point is illustrated in a recent international study released by industry analysts Aberdeen Group which suggested only 51% of companies have automated basic vulnerability management operations such as patch and configuration management despite widespread acceptance that many security vulnerabilities can be avoided by fixing this issue.

The struggle to glean good, complete information about the security status of their information systems is most obvious when it comes to audit time. In a 2008 survey Shavlik conducted of over 400 delegates attending trade shows in the US and Europe, they identified over 120 different solutions for managing the audit process, with many trying to develop their own management programs or pull together information from `a lot of systems.’ A significant proportion, nearly 40%, indicated that they were dissatisfied with this situation. Other feedback shared by our customers suggests that they want interoperability or even integration across the disparate solutions they have deployed for vulnerability management-application control, configuration management, and virtualisation control, patch management, even anti-virus and spam control- so that they can develop that comprehensive view of what it is happening.
Some vendors are responding: Many of us are committing to standards such as SCAP, which though an initiative of a US government agency, leverages internationally recognised open standards, such as the Common Vulnerabilities and Exposures (CVE) identifiers, the Open Vulnerability and Assessment Language (OVAL), and Common Vulnerability Scoring System (CVSS). Commercial application promises to deliver the improved interoperability across functions that are being demanded. The opportunity is there for companies and organisations is to establish an integrated approach for their security operations.

It used to be that hackers wanted to make a big impact- create and distribute malicious programs that could proliferate quickly and cause great disruption. Now most attacks are designed to go undetected to give the program the time to invade a piece of software, search out, and steal valuable data that can be sold on a black market. They are also more focused on endpoint machines and PCs, given the comprehensive investment in firewalls and historic focus on defending the network itself. Such an attack can last for months, and avoid detection until a customer realises that a breach has occurred. This phenomenon is catching public attention with publicised data losses alerting everyone of their vulnerability—while executives are increasingly asking their CIOs if their company could make the next news headline.

It’s time to recognise that organisations must work with a solid understanding of whether a given box is relevant and configured for its task, whether users downloaded anything, whether it’s all patched—there can be hundreds of checks that administrators will want to and should verify. This will rely on the will to plan, organise and take advantage of their security management information, starting with a query of the potential unknowns. Before systems can be patched and configured according to policy, administrators must proactively scan for what systems exist, and ensure laptops are detected whenever they connect to the network. They must understand what software exists on them, and whether the approved configuration is appropriate. The remediation that follows can be systematic and sustainable, and communicable through a rich resource of reporting information that can be tailored for whoever may be looking for reassurance. Until these basics are effectively managed, there will always be a risk to company security and any effort at compliance with security policy or external regulation.

Shavlik Technologies is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Shavlik Technologies, LLC delivers businesses robust software solutions that rapidly accelerate and continuously improve security and compliance readiness by simplifying IT operations, and identifying and reliably closing system security gaps.

Courtesy: Infosecurity PR

Finjan confirms cybercrime revenues exceeding drug trafficking

Farnborough, United Kingdom, 26th March 2009: Testimony from AT&T's Chief Security Officer Edward Amoroso, in which he told a US Senate Commerce Committee that revenues from cybercrime - at $1 trillion annually - are now exceeding those of drug crime, have been confirmed by Finjan, the business Internet security expert.

"Our latest research suggests that, whilst the economic downturn is reducing the income of drug traffickers, cybercriminals are becoming ever more innovative in the ways they extract money from companies and individual," said Yuval Ben Itzhak, Finjan's Chief Technology Officer.

"In our Q1 2009 report on cybercrime, for example, we revealed that one single rogueware network are raking in $10,800 a day, or $39.42 million a year. If you extrapolate those figures across the many thousands of cybercrime operations that exist on the Internet at any given time, the results easily reach a trillion dollars," he added.

According to Ben-Itzhak, Finjan's Q1 2009 security trends report also revealed that traffic volume to compromised Web sites has increased significantly, so luring masses of potential buyers to rogueware offerings.

As we have reported many times in our quarterly reports, he said, cybercriminals keep on looking for improved methods to distribute their malware and rogueware.

And since they make money by trading stolen data or selling rogue software, they are always looking for new and innovative techniques all time, he explained.

"It's against this backdrop that we can confirm AT&T CSO Amoroso's testimony that cyber-security threats have increased significantly over the past five years, and have reached the point where they pose a significant threat to all organisations," he said.

“We have seen a trend of unemployed IT personnel finding new and easy income by purchasing and using Crimeware Toolkits that are sold by professional hackers. We believe that this was just the beginning of a wider trend that we will experience in 2009 and 2010. Having the large number of layoffs of IT professionals all around the world, especially in the USA, we expect a rising number of people willing to ‘give it a try’ and to get stolen credit card numbers, online banking accounts and corporate data that they can use to generate income,” he added."

Because of this, we are urging companies to constantly review their IT security defences and the ways they monitor their IT resources against all forms of incursion and data leakages. It's only with extreme vigilance that IT managers can reduce the risk of a serious cybercrime event causing severe fiscal damage to their firm," he added.

For more on Edward Amoroso's Senate testimony:

For more on Finjan's Q1 2009 intelligence report:

Finjan MCRC specializes in the detection, analysis and research of web threats, including Crimeware, Web 2.0 attacks, Trojans and other forms of malware. Our goal is to be steps ahead of hackers and cybercriminals, who are attempting to exploit flaws in computer platforms and applications for their profit. In order to protect our customers from the next Crimeware wave and emerging malware and attack vectors, Finjan MCRC is a driving force behind the development of Finjan's next generation of security technologies used in our unified Secure Web Gateway solutions. For more information please also visit our info center and blog.

Secure Gateway provides organizations with a unified web security solution combining productivity, liability and bandwidth control via URL categorization, content caching and applications control technologies. Crimeware, malware and data leakage are proactively prevented via patented active real-time content inspection technologies and optional anti-virus modules. Powerful central management enables intuitive task-based policy management, excellent drill-down reporting capabilities and easy directory integration for all network implementation options. By integrating several security engines in a single dedicated appliance, Finjan’s comprehensive and integrated web security solution enables quick deployment, simplified management and reduction of costs. Business benefits include real-time web security (no patches or updates needed), lower total cost of ownership (TCO), cost savings in administration efforts, lower maintenance costs, and reduction in loss of productivity. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit:

Neil Stinchcombe, Eskenzi PR

Experts say energy network hacks could be avoided with code auditing

Fortify says energy network hacks can be avoided through the use of code auditing and analysis

26th March 09 - Commenting on the reported vulnerability of the energy and utility networks to external attacks by hackers, Fortify Software, the software security assurance experts, says that the custom code seen in many energy applications means that program code auditing and analysis is now a must for security.

"The problem facing IT managers within energy companies is that a lot of programs they use on their IT resources are either heavily customised or written from scratch, such as SCADA applications," said Rob Rachwald, Fortify's Director of Product Marketing.

"Because of this, the code auditing and review process must involve building security into the software from the ground level upwards. The problem is, however, that this is not a frequently used mantra in the energy industries, many of whom use modified Windows 98 and even DOS applications dating back several years," he added.

According to Rachwald, the process of integrating security within the program code of energy companies is not to build operational standards, but preventative ones.

Rachwald says that Fortify has been working with Cigital, a consulting firm specialising in software security, to develop the 'Building Security In Maturity Model (BSIMM),' a set of benchmarks for developing and growing an enterprise-wide software security programme.
The BSIMM programme, details of which were released in early March,says Rachwald, are highly applicable to the reported security worries surrounding the vulnerability of utility, and in particular, energy networks, since they create benchmarks where none existed previously.
Under BSIMM, he explained, Fortify and Cigital have developed a structured set of practices based on real-world data and which provides an insight on what successful organisations actually do to build security into their software.

It also, he says, gives developers an understanding of how to mitigate the business risk associated with insecure applications.

"The North American Electric Reliability Corporation - NERC - has also been working on required source code reviews. This is especially relevant given the trend to using open source programs as a baseline for energy company customised software," he said.

"Using the NERC approach to code auditing and reviewing is an excellent starting point on which to build a program audit process and a great step towards engendering a preventative mindset on the software development front," he added.

For more on the energy network security debate:

For more on Fortify Software:

Yvonne Eskenzi, Eskenzi PR

IBM in talks to acquire Sun Microsystems

by Michael Smith

Deal would strengthen computing giant’s open source credentials but will that be good for Open Source and the freedom of open source and the code?

IBM is in acquisition talks with hardware and software platform vendor Sun Microsystems, who are also, in a way, behind Open Office, according to the Wall Street Journal.

The report has been neither confirmed nor denied by either party.

According the Wall Street Journal’s sources, IBM would pay at least $6.5 billion for Sun Microsystems. That is almost twice its present market capitalization, but half its total revenues in the 2008 financial year – testament to the fact that investors have little faith in Sun’s ability to make money this year.

Sun has had a disastrous financial year so far. The company lost $1.7 billion in the first quarter, announcing shortly after that it plans to lay off 6,000 employees.

Among the many causes of Sun’s woes have been some expensive acquisitions, notably that of storage equipment manufacturer StorageTek in 2005 for $4.1 billion and MySQL for $1 billion. The latter, in particular, formed the basis of a ‘commercial open source’ business model that has yet to prove ‘commercial’, in the traditional sense.

That means that IBM may be picking up a bargain. The IT giant has also built an open source strategy, which would be bolstered by Sun’s credibility (if not profitability) in the field. However, there may also be an overlap in the companies’ hardware portfolios.

This is, probably, one story of “don't be greedy” and the same could be a warning for other when it comes to acquisitions.

In my view the question is that while this acquisition of Sun Microsystems by IBM may give IBM open source credentials, the question, as I stated to begin with, is whether this is good for Open Source in itself.

The takeover, if it comes to it, by IBM of Sun Microsystems may not, necessarily impact on the most famous and most used open source office suite, that is to say Open Office, as the development, in the main, is done by the Open Office,org team, but Open Office is, nevertheless, part of Sun and there is always the possibility that, suddenly, the free open source office suite we are used to will not longer be free or available.

I guess we will have to wait and see as to the outcome.

© M Smith (Veshengro), 2009

Tips on stamping out Data Leakage & Industrial Espionage during a Recession

Cyber-Ark Software, explains why the recession is impacting IT security and provides top tips to ring fence the risk

By Mark Fullbrook, UK Director –Cyber-Ark Software

At a recent monthly gathering of both good and bad hackers in a dingy pub in Leicester Square, I asked them whether the economy was opening up new opportunities for them. The response was an overwhelming yes, with nearly everyone saying that the cut backs had caused jobs to be outsourced and, with less folks in IT looking after security, there would be increased room for vulnerabilities and for mistakes to emerge. They were also quick to state that the sentiment amongst redundant employees was that of disgruntlement and that therefore they were more inclined to exploit loop-holes in their previous employers’ networks.

The hacker community reinforced findings Cyber-Ark had unearthed in a recent survey it had conducted amongst 600 office workers in London’s Canary Wharf, New York’s Wall Street and also in Amsterdam. The study explored whether the recession was affecting peoples’ attitudes to work ethics and data security and, shockingly, it revealed that data theft and industrial espionage were on the up, worryingly not from hackers, but from the workforce itself concerned about impending job losses.

56% of workers surveyed said they were worried about losing their jobs because of the economic climate and, in anticipation, over half admitted to downloading competitive corporate data which they had identified as a useful negotiating tool in preparation to secure their next position. Top of the list of desirable information to steal is customer and contact databases, with plans and proposals, product information, and access/password codes all popular choices with a perceived value.

Memory sticks are the smallest, easiest, cheapest and least traceable method of downloading huge amounts of data which is why, according to the Cyber-Ark survey, they’re the “weapon of choice” to sneak out data from under the bosses nose. Other methods were photocopying, emailing, CDs, online encrypted storage websites, smartphones, DVDs, cameras, SKYPE, and iPods. Rather randomly, yet disconcerting, is that in the UK seven percent said they’d resort to memorising important data!

It’s not all doom and gloom as the survey also discovered that 70% of companies had implemented restrictions to prevent employees from taking information out of the office but that still leaves a worrying 30% unprepared for the snake in their midst.

Top Tips to Ring Fence The Risk
So what can companies do to stop data leakage and company secrets being exposed during these very uncertain times? My best advice is to …

1.Only allow people access to the information that they need for their everyday activity. Install multiple layers of security within the organisation depending on the value of the information, in this manner only those that are privy to highly sensitive or important data are allowed access to it. The best way to do this is to have a “digital vault - where you can encrypt the company’s most critical assets and allow only those with privileged access into the vault.

2. Regularly change passwords on admin accounts or privileged accounts which are accessed by more than one user as you will often find that these power passwords are being informally shared amongst those people that shouldn’t be using them. It’s once you change these that suddenly people phone in and ask why they can no longer access the data and you realise just how many unauthorised people were unnecessarily accessing the information. It’s these admin accounts and privileged passwords that hackers will always try and access first as they are often badly managed leaving gaping holes in the network.

2.Drum into your staff the importance of respecting company data and make sure you instil good IT security housekeeping rules. You can have the best IT security products in the world, but if your staff lets you down by stealing the information or, then all your best intentions and investments go out the window – along with the data!

3.Make sure you have an audit trail to the sensitive and important data. That way you can track who has access to what information and can check at all times who is accessing it.

4.Have a strict password usage policy that means that all users within the company have to change passwords regularly mixing numbers, letters and symbols. Do not allow users to know, or worse share, each others passwords. As I mentioned earlier manage and audit the highly sensitive administrative passwords to prevent hackers, and increasingly important insiders, exploiting the systems.

5.Ensure that you have a strict protocol for remote users and administer security products onto mobile devices centrally. Deploy the best, most transparent, encryption solution that doesn’t impede the device or impact the user, otherwise they will do their utmost to bypass it.

6.Have protection in place against data deletion and loss - earlier file versions should be retained, ensuring an easy way to revert to the correct file content or recover from data deletion quickly with minimal disruption.

7.Always use digital signatures so that unauthorised changes in files are detected.

8.Make sure you have end-to-end network protection. Security must be maintained while data is being transported over the network. The process of transferring data has to be, in itself, secure. It should be necessary for users to be authenticated, and access control used to ensure that users only take appropriate action, and that only authorised actions are carried out.

9.Maintain process integrity at all times. As data transfer is an essential part of a larger business process, it is critical to be able to validate that this step in the process is executed correctly. This requires the solution to provide auditing features, data integrity verification, and guaranteed delivery options.

In this current economic climate employers need to be able to trust their staff, however, with everyone jittery about keeping their jobs - the instinct is to look out for number one. The result is that employers need to be stricter about locking down sensitive and competitive information. It would be unthinkable to leave money on a desk, an obvious temptation to anyone passing, instead it is always safely locked away and the time has come for companies to give sensitive information the same consideration. If times get hard, and they invariably will, companies need to ensure that any cutbacks aren’t deeper then expected when stolen data unexpectedly eradicates any chance of survival. CyberArk’s advice is only allow access to your most critical assets for those that really need it, encrypt.

Yvonne Eskenzi, Eskenzi PR

Protecting personal data - information assurance as a core business function of an organisation

By Stephen Lewis - VP of Business Development at AEP Networks

The protection of personal data is a very hot issue today and its rise to fame has been helped dramatically by a number of high profile data losses, mainly by government and its agents but also in the commercial sector. Although these losses of personal data may not have shocked those involved in the information assurance business at the time, organisations dealing with sensitive or private data should have made it their business to secure it and therefore avoid further negative publicity. We ask the question, “Are we protecting the information fully?”

Well, the media interest has achieved one significant goal – now, we are acutely aware that our personal details, that we have provided in good faith and on the understanding that it would be treated in confidence and taking due care and attention, may not be receiving the protection we expect. Doing something about that is quite difficult because we need to exchange personal data in order to carry out our day-to-day business. And, it is true to say that if trust is lost between an individual and a service provider of whatever type no business can be transacted. This is what we face if we fail to look after personal information.

It is clearly the responsibility of the organisation receiving personal data to protect that information so what do we mean by ‘protect’?

The organisation must make sure that only authorised personnel are able to access certain types of information or data. This means putting into place the necessary and appropriate access controls and data security measures in order to maintain confidentiality. Then, it is important to ensure that data is not moved outside of the control zone that has been specified.

Ensuring that the information held on each and every individual is accurate is another responsibility of the organisation holding personal data. This requires integrity checks being carried out on the data, refreshing of the data to be sure that it is kept up to date and validation methods being implemented so that individuals are able to check for themselves that their data is current.

Then, organisations need to make the information available so they will require a level of system resilience and disaster recovery strategies to be in place to cover all eventualities. Up-to-date and appropriate identity management and access control are critical and they need to know at any point in time who needs to access data and show an audit trail of those who have already accessed it.

Most of the countermeasures I see being implemented to protect personal data seem to be focusing on encrypting information on mobile devices and writable media. This is excellent news for colleagues in the “data at rest” encryption business but we are concerned that some of the fundamental issues are not being examined. It is often a business process issue that needs to be addressed in the first instance. For example, why are staff holding this information on laptops and PDAs? Why do they need to cut a CD or write data to a USB memory stick?

The answers certainly lie in the business practices surrounding the protection of personal data. If one Government Department has a quite legitimate need to send personal data to another organisation then it should be possible to send it over an encrypted link rather than to cut the information to CD and consign it to the mail system. If an officer needs access to personal data while on the move then surely using a thin client based remote access solution is far better than them having to store a copy of the data on their own machine. If staff need access to data temporarily - for a project - then the access control and identity management system must be flexible enough to allow for this rather than (and we’ve all seen this in practice) people working around the system to avoid making changes through ‘the system’.

There are flaws in the security measures of many organisations and most are easily overcome. A review of business processes and practices is an essential first step and this should be followed by a realistic and timely review of the communications infrastructure and the existing security systems in place. Encryption will necessarily form a core part of the security of personal data, but so too will access control and identity management. Get all of these aspects right and data will stay secure, even when it is on the move. Get it wrong and the publicity drive to name and shame organisations that do not look after our data will continue with a vengeance.

AEP Networks has been working in the Information Assurance and Communications Security fields for many years and has solutions deployed in Government and Commerce providing simple and flexible network and remote access security (including multi bearer communications capability); identity based access control, accounting and audit systems; and, data and authentication integrity assurance.

AEP Networks offers an integrated portfolio of secure, high performance network and communications access solutions for enterprise and private sector organisations. The Company’s secure networking products include identity-based and policy-based access control solutions, SSL VPNs, IPsec-based VPN encryptors and hardware security modules (HSMs) for key management. AEP Networks’ enhanced-grade communications products address the needs of organisations requiring specially designed voice and data solutions that support a wide range of communications protocols and network topologies.

With European headquarters in Hemel Hempstead, UK, AEP Networks has offices worldwide. For more information, visit

AEP Networks is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Courtesy: Infosecurity PR

Online Networking – A growing Phenomenon

by Michael Smith

Online social and also professional networks and special interest nets are growing at a phenomenal rate and new ones are springing up everywhere.

It more or less – I mean properly – all took off with Facebook before it even became open to the public, so to speak. Once it was made open to the public the rocketed and every other one followed.

Fair enough, online networks of one kind or the other were available for some time – probably even before Facebook became open – such as Yahoo Groups, for instance, and bulletin boards and forums but the new networks made it much more personal and more efficient, probably.

Facebook was soon followed by other social and business networking tools and more and more of then are getting up on an almost weekly basis.

Some are just social networks really for the younger generation but then again they can, to a degree, be utilized too as tools for marketing as, as is the case with Twitter, others are also coming to use this service nowadays.

The old networks have not had their days as yet either, such as Yahoo Groups and/or forums. It is often a case of “horses for courses”, even though to some the likes of Yahoo Groups and Bulletin Boards, and even Forums, seem to be a little something out of the time of Noah's Ark. But, as said, they have their uses still and should, I think, remain for those that wish to use them, though I am well aware that Yahoo groups are no longer as much in use as they used only a couple of years back.

Facebook and others are different and obviously more sophisticated as well.

And there are other networking platforms out there that work on a different level still, such as Twitter, as an example.

Then there are the so-called Social Bookmarking Sites such as Yahoo's “My Web 2.0”, which, alas is being terminated. Then there is Digg, Delicious, and numerous others that do the same thing, more or less. I began using those when I was using Yahoo – I still use Yahoo and am rather sore that they are canceling the “My Web 2.0” thing – as a means of storing bookmarks “in the cloud”, so to speak, while also sharing them with friends and the greater public. Now I am forced to go over to Delicious. I guess this will not be the greatest of hardships either but...

OK, but I digressed a little...

In addition to the “normal” social media sites such as Facebook, Twitter, and such, there are the social business networks such as LinkedIn, and a variety of others.

To be perfectly honest, it is becoming difficult to keep up with all of them and it would appear that new ones pop up on an almost weekly basis or such. And to keep track of them could end up a full-time occupation. Mind you, not that you could even remotely hope to participate in more than a small number of them. Just keeping track of them as to existence, names and such is not very easy.

Application of Social Media

There are a number of ways that social media and social networking is being used and can be used, from purely personal to purely business and all stops in between.

Social Use

Who and what really started this all may be a little difficult to ascertain nowadays – then again maybe it is just me – but online (social) networks of one kind or the other are not totally new. Tt did not just start with Facebook.

While the opening of this platform to people in general – for it was initially part of a college Intranet – cause the explosion of this phenomenon Facebook sue was not the first system of this kind.

If I am not mistaken the first such platforms were the likes of “Friends Reunited” and such may have been some of the first if not indeed the first real social networks online. However, those were not free services; all had a financial subscription in those dark days.

Today the choice, as I have said, of platforms is legion for social networking on a variety of different levels and at a variety of depths.

Now we also have the likes of Twitter with us which are and were initially and primarily used as a platform for sending SMS style messages, that is to say cell phone text messages; hence the restriction to the number of characters in a message for a post. I think they call them “tweets”.

Facebook too still has its limitations as far as updates are concerned and there too is a limitation as to the number of characters a message can have. But one does have the option of posting notes on Facebook where there does not seem to be a restriction in the number of characters.

Then again anyone wishing to do in depth discussions could use a forum of kinds, and many of the platforms, other than Facebook, do have such facilities, such as CollectiveX. It is all a matter, as I said before, of “horses for courses”.

Business Use

Facebook has been used here for a fairly long time already by those in the know, especially also in its early days, as a fundraising tool by NGOs and those wishing to aid such organizations.

Many of the larger media groups and newspapers can also now be found on Facebook, such as the New York Times, as well as major charities, NGOs, etc.

Twitter, though primarily an application that was intended to be used from mobile clients, e.g. cell phones, is being used now by businesses, government departments, politicians, causes and, in the UK even HM the Queen.

Causes of various kinds have established social networks/business networks and then there are the more or less business ones such as LinkedIn, or the ConnectX platform, which is used by groups, families, clubs, societies, communities, causes, businesses nets, such as green nets, etc., etc.

Oh my, and I have just noticed that in all of this I have forgotten “MySpace” but, then again, I do not find that an all that useful application.

The Future?

Well, I am not psychic so I have no idea where this is all going to lead and where we are headed in this but the potentials for this, in my opinion, are huge. But there are two sides to this coin, obviously, also, for the applications can be used for good as well as for bad.

How much, however, should those online social networks, and even if they are being used by good causes and charities, and businesses, be used for marketing?

Should this be not much more something about building communities and relationships;; first online and then, maybe, also afterwards in real life? When I say here “relationships” I do not mean those in the realm of sexual relationships or leading to such. Relationships are much more than that and should be much more than that. They should also be about communities and helping and such and there some of those nets have already shown some worth.

Where we are going with this is, to a great degree, up to us who are going to use such online social (and business/social) networks and whether we want to be bombarded with ads and marketing or whether we want something else.

The Internet allows us, the users, to define how things are being used and in which way and it is also we, the users, that tell the developers what we want and how we want it used. User power is definitely the rule here.

The problem that is beginning to arise though is that the powers that be are running scared of the social media, be this networks or Bloggers and are looking for ways to control the activities via legislation and forcing ISPs to keep records and all that. All with the usual mantra of wanting to “protect the children”.

If they are interested in protecting children online then why do they not provide filtering software for free to parents. From a conversation that I have had with some folks they have even refused to take up offers from software companies to receive those free from the developers for free distribution. It has nothing to do with “protecting the children” but everything to do with wanting to control the medium of the Internet.

Sorry, I did digress a little here and shall save the rest of that subject for another time.

© M Smith (Veshengro), 2009

Tufin launches product security suite for Security Lifecycle Management

Tufin Technologies Sets the Standard for Security Lifecycle Management with the General Availability of SecureTrack 4.5 and the Tufin Security Suite (TSS)

Sophisticated Network Security Policy Analysis, Compliance Management, and Joint Delivery with SecureChange Workflow Underscore Tufin’s Ongoing Innovation

London, March 24, 2008 - Tufin Technologies, the leading provider of Security Lifecycle Management solutions today announced the release of SecureTrack 4.5. This release furthers Tufin’s market leadership by expanding its already robust policy and compliance analysis and reporting capabilities while simplifying deployment. SecureTrack 4.5 also offers the capability to pre-load its companion change management solution, SecureChange Workflow. Together, these products comprise the Tufin Security Suite (TSS), providing security operations teams with unprecedented control over network security policy management – from the first policy request through its design, risk analysis, approval, implementation and auditing. Tufin Security Suite (TSS) highlights Tufin’s ability to automate critical operational processes, saving organizations a significant amount of time and money while improving their network security posture.

“Tufin’s ability to enable security teams to do more with less – and to quantify the time and cost savings it delivers – has kept it on the short list of any company still actively evaluating security technology,” said Nick Garlick, managing director of the Nebula Solutions Group. “The way Tufin has automated network security policy management is truly impressive - you can tell their solutions were designed by people who have experienced the most painful elements of security operations.”

Firewall policy management products have emerged to meet the need to better manage firewalls for compliance and reporting, especially where firewalls from multiple vendors are deployed,” said Greg Young, Research Vice president for Gartner, Inc. “The consoles and reporting tools from the firewall vendors are often simply found lacking, and third-party firewall policy management products are being used for rule optimization and compliance-related activities, such as reporting workflow and better separation of duties (SOD).”
Industry-leading functionality:

Key enhancements to SecureTrack/TSS 4.5 include:

  • Compliance White Listing – This new feature provides the ability to define organizational compliance policy as the traffic which is allowed ("white list"). This feature complements the existing capability for defining what is not allowed (“black list”). A real time alert is sent whenever a rule conflicts with the compliance policy.
  • On Demand Compliance Reporting – In addition to receiving compliance updates with each policy change, SecureTrack now enables administrators to create a real time snapshot of how network security policies align with predefined business continuity, regulatory, security and risk management policies.
  • TACACS+ Authentication – Support for using TACACS+ central authentication for SecureTrack users and administrators provides additional deployment options for centralizing user access management.
  • Simplified Licensing Scheme – Rather than assigning licenses based on specific devices, Tufin’s flexible licensing process enables customers to switch monitored devices of the same type within the licensed quantity to account based on business need.
“There are two main reasons why we have been ahead of the curve releasing key features. Number one is that we listen closely to feedback from our customers and channel partners and number two is that have walked many a mile in our customers’ shoes,” said Reuven Harrison, CTO, Tufin Technologies. “Our mission is to deliver products that make administrators’ jobs easier on a daily basis. As a result, SecureTrack delivers dramatic efficiencies that can be easily quantified. At the end of the day, when the people managing the business win, the business wins.”

Tufin SecureTrack™ is the market-leading Security Lifecycle Management solution. SecureTrack enables organizations to enhance security, reduce service interruptions and automate day-to-day tasks through powerful firewall management capabilities and reporting. SecureTrack helps security operations teams to control and manage policy changes, analyze risks, and ensure business continuity and allows managers to easily understand the big picture and align operations with corporate and government security standards.

Tufin SecureChange™ Workflow is a unique change management solution designed specifically for security policy change requests. SecureChange Workflow manages the entire lifecycle of a policy change request, from submission through design, risk analysis, approval, implementation and auditing.

Tufin Technologies is the leading provider of Security Lifecycle Management solutions that enable large organizations to enhance security, ensure business continuity and increase operational efficiency. Tufin's products SecureTrack™ and SecureChange™ Workflow help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin now serves 300 customers around the world, including leading financial institutions, telecom service providers, transportation, energy and pharmaceutical companies. For more information visit or follow Tufin on Twitter at TufinTech

Yvonne Eskenzi, Eskenzi PR

Google Street View poses threat to UK's national security

Infosecurity Europe says Google Street View poses threat to UK's national security.

The organisers of the Infosecurity Europe, Europe’s No. 1 information security event, say that they are expecting a storm of controversy to erupt over the introduction of the Google Street View facility in the UK.

"The introduction of this service in the UK, which has already attracted vociferous criticism in the US, is regarded by many as a voyeuristic intrusion of privacy. But the invasion of personal privacy is nothing compared to threat this service poses to the national security of the United Kingdom," said Tamar Beck, Group Event Director, Infosecurity Europe.

"I find it deeply disturbing that critical sites such as police stations and army facilities are accessible on the service, thus posing a serious threat to national security, since terrorists now have the electronic equivalent of a dummies' guide to 25 of the UK's major cities," she added.
According to Tamar Beck, whilst Google Maps' satellite view option has previously provided some degree of information to would-be terrorists on the Internet, the viewing angles are sufficiently limited to be of little use to a potential terrorist.

With Google Street View, she says, all the limitations go out of the window, giving terrorists instant - and anonymous - access to major UK cities on a street-by-street basis, where they can pick and choose terror targets from their training camps in Afghanistan, Iran and other volatile areas of the world.

It is to be hoped, she went on to say, that the UK Authorities take action to opt sites such as police stations and army barracks out of the Street View service, so as to make life more difficult for anyone involved with threats to UK national security.

"Not only is Street View a gross invasion of privacy, it's also a major threat to national security. This is something that will be a hot topic at next's months Infosecurity Europe event," she said.

"The world has changed immeasurably due to the Internet and not the changes it engenders are positive. The next few weeks and months could be crucial in the way the Google's UK Street View service evolves,"she added.

Further details on the Google UK Street View service:

Further details on the Infosecurity Europe

Infosecurity Europe, running for its 14th year in 2009, is Europe’s number one Information Security event. Featuring over 300 exhibitors, the most diverse range of new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe. Organised by Reed Exhibitions, the world’s largest tradeshow organiser, Infosecurity Europe is one of five Infosecurity events around the world with events also running in Belgium, Netherlands, Russia, and France. Infosecurity Europe runs from the 28th – 30th April 2009, in its new venue Earls Court, London. For further information please visit

Neil Stinchcombe, Eskenzi PR

Brocade Extends IP Network Performance and Value with New IP Network Infrastructure Offerings

New Professional Services Offerings Help Customers Transform and Increase the Value of Their IP Networks

London, 23rd March 2009 : Brocade ® (Nasdaq: BRCD) today announced two new professional services offerings that further demonstrate the Brocade investment and commitment to helping customers increase the value of their IP networks.


IP Network Infrastructure Services:
Brocade IP Network Infrastructure Services provide customers an end-to-end methodology to assess, design, and implement next-generation IP networks. Customers can benefit from Brocade expertise and best-practice guidance to accelerate deployment, maximise resource efficiency, and mitigate risk when implementing IP networking technology.

The Brocade IP Network Infrastructure Services portfolio includes:

  • IP Network Assessment: This in-depth service helps customers understand the effectiveness of their network environments, with Brocade recommending best practices to help plan for the future. Brocade experts will review the architecture of the customer environment and evaluate network performance, availability, and manageability.
  • IP Network Design: This service focuses on designing best-in-class networks by providing customised design options regardless of whether a partial or complete technology refresh is required.
  • IP Network Implementation: This service assists customers in configuring and integrating new Brocade network devices. It includes mounting equipment, installing physical connections, testing equipment setup, and validating the installation.
  • IP Network Migration: This service is for customers that are migrating from an old network to a new Brocade network solution. Brocade consultants gather technical requirements and prerequisites, integrate them into a detailed project schedule, and perform the migration as planned.
  • IP Network HealthCheck: This service helps customers evaluate the health of their existing environment and identify areas that need attention. It focuses on key areas such as capacity, performance, scalability, and device health.
Brocade IP Network Infrastructure Services are currently available in the Americas and EMEA and will be available in Asia Pacific and Japan in Q2 calendar year 2009.

Rapid Network Assessment Highlights:

The Brocade Rapid Network Assessment is a no-cost high-level assessment service that shows customers how they can save up to 30 to 50 percent in operational costs for their IP networking infrastructure when transitioning to next-generation Brocade IP networking solutions.

The Rapid Network Assessment includes:
  • Assessment of the IP networking infrastructure based on the current customer environment
  • Rapid Network Assessment Report based on input from the LAN Health tool, ROI/TCO tool, and the power, performance, and density calculators
  • Reports and recommendations delivered by Brocade experts that are designed to save customers up to 30 to 50 percent of their overall networking costs


More information
Brocade(R) (Nasdaq: BRCD) develops extraordinary networking solutions that enable today's complex, data-intensive businesses to optimise information connectivity and maximise the business value of their data. For more information, visit

Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners.

Source: Spreckley Partners

Finjan’s Research Reveals Cybercrime Path to Millions

In its latest Cybercrime Intelligence Report, Finjan shows how rogueware affiliate networks use SEO techniques to distribute their rogue Anti-Virus Software for profit

Farnborough, United Kingdom, 23rd March 2009Finjan Inc., a leader in secure web gateway products and the provider of a unified web security solution for the enterprise market, today announced that its Malicious Code Research Center (MCRC) managed to research one of the rogueware affiliate networks, where members make $ 10,800 a day. In the first issue of its Cybercrime Intelligence Report for 2009, Finjan shows how the rogueware was distributed using search engine optimization (SEO) techniques. Cybercriminals used SEO to optimize the distribution of their rogueware. Typos and misspelled keywords (such as “obbama” and liscense”) as well as trendy keywords taken from Google Trends system were abused to show compromised websites as top search results. Subsequently, the traffic volume to the compromised websites increased significantly luring masses of potential buyers to the rogueware offering.

The Cybercrime Intelligence Report covers the following:

  • Cybercriminals are professionally organized and operate affiliate networks to boost their malware and rogueware distribution
  • To promote their rogueware, they compromise legitimate websites by injecting SEO targeted pages which include repetitive popular search keywords with minor typos
  • Search engines indexed these injected pages and display them as top search results
  • This SEO targeted technique has proven to be very effective and yielded almost half a million Google searches to compromised sites, according to statistics found on the criminal’s server during the research
  • 1.8M unique users were redirected to the rogue Anti-Virus software during 16 consecutive days
  • Members of the affiliate network were rewarded for each successful redirection with 9.6 cents “a piece”, which totals $ 172,800 or $ 10,800 per day
“As reported by Finjan before, cybercriminals keep on looking for improved methods to distribute their malware and rogueware. Since they make money by trading stolen data or selling rogue software, they are looking for new and innovative techniques all time. To increase the distribution reach of their rogueware, they successfully turned to SEO,” said Yuval Ben-Itzhak, CTO of Finjan.

The report further details how the cybercriminals created “doorways” to redirect users searching the web. The research is described in Finjan’s first Cybercrime Intelligence Report released today.

To download the report, please visit

Finjan MCRC specializes in the detection, analysis and research of web threats, including Crimeware, Web 2.0 attacks, Trojans and other forms of malware. Our goal is to be steps ahead of hackers and cybercriminals, who are attempting to exploit flaws in computer platforms and applications for their profit. In order to protect our customers from the next Crimeware wave and emerging malware and attack vectors, Finjan MCRC is a driving force behind the development of Finjan's next generation of security technologies used in our unified Secure Web Gateway solutions. For more information please also visit our info center and blog.

Secure Gateway provides organizations with a unified web security solution combining productivity, liability and bandwidth control via URL categorization, content caching and applications control technologies. Crimeware, malware and data leakage are proactively prevented via patented active real-time content inspection technologies and optional anti-virus modules. Powerful central management enables intuitive task-based policy management, excellent drill-down reporting capabilities and easy directory integration for all network implementation options. By integrating several security engines in a single dedicated appliance, Finjan’s comprehensive and integrated web security solution enables quick deployment, simplified management and reduction of costs. Business benefits include real-time web security (no patches or updates needed), lower total cost of ownership (TCO), cost savings in administration efforts, lower maintenance costs, and reduction in loss of productivity. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit:

Neil Stinchcombe, Eskenzi PR

Cyber-Ark Launches Privileged Identity Management Suite to Protect Against Insider Threats and Data Theft

New Privileged Session Manager Introduces Monitoring and Recording Capabilities for Sensitive User Sessions; Powers Remote Single Sign-On for Privileged Identities

LONDON – March 23, 2009Cyber-Ark, the leading global software provider for protecting critical applications, identities and information, today announced availability of its Privileged Identity Management Suite v5.0. The Suite is the industry’s most comprehensive solution for securing, managing and monitoring all activities associated with powerful privileged accounts, including both administrative and application identities. It is comprised of enhanced Enterprise Password Vault®, Application Identity Manager™ products, and features the new Privileged Session Manager™ that provides sensitive session monitoring and recording, secure remote access, and privileged single sign-on capabilities.

With its Privileged Identity Management Suite v5.0, Cyber-Ark becomes the only vendor to offer a full lifecycle solution to secure, manage, log and monitor all privileged accounts – including the sensitive application identities embedded within applications and scripts, and administrative passwords found in routers, servers, databases and workstations. The Suite features a single, central infrastructure and provides administrators with greater fine-grained access control and advanced web-based reporting capabilities to address important audit and compliance questions. With new session recording capabilities and multiple password inventory reports, administrators can better answer not only “who” accessed sensitive information, but also “what” was done with that information once it was accessed.

Privileged Session Manager – Recording and Monitoring, Secure Remote Access Privileged access to enterprise resources raises many challenges, including control over “who” is entitled to access sensitive devices, “who” within and outside an organisation can initiate privileged sessions, as well as “what” is being done during those sessions. To address those challenges, the new Privileged Session Manager provides the only fully integrated and centralised solution to securing, controlling and monitoring privileged access to network devices. This product offers a robust set of capabilities, such as:

  • Recording and Monitoring Privileged Session Activities: Privileged Session Manager enables organisations to control and monitor privileged access to sensitive systems and devices, and provides privileged session recording with DVR-like playback. Recordings are stored and protected in the Digital Vault Server® and are accessible to entitled auditors.
  • Secure Remote Access: Privileged Session Manager allows browser-based access to managed devices. This functionality is critical, especially as privileged access is often required by external third party vendors who may need to conduct trouble shooting or device maintenance on a secure network. These users require extra care that is made possible through secure remote access and secure session initiation, without exposing credentials.
  • Privileged Single Sign-On: To date, single sign-on solutions have not addressed the security vulnerabilities of privileged accounts. The new Privileged Session Manager effectively closes that gap. A single login to the Privileged Identity Management portal with optional 2-factor authentication allows connections to managed devices without knowing the connection passwords. This enables customers to enforce 2-factor authentication for sensitive device access without the need to deploy a complex single sign-on solution.
“By providing our customers with a robust, proven, easy-to-deploy suite of privileged identity management solutions, customers can decide which component they would like to start with, and build out from there,” said Udi Mokady, president and CEO of Cyber-Ark Software. “Any organisation with an IT department, system administrators and/or sensitive information has security vulnerabilities we can solve; it’s just a matter of deciding where to start. This Suite provides unmatched flexibility in a single out-of-the-box solution that simplifies audit and compliance requirements by answering questions associated with “who” has access and “what” is being accessed.”

Privileged Identity Management Suite – Central Point of Control, Consistent Security

Privileged and application accounts represent the most powerful IT users in an organisation given their wide-ranging access, yet they are often the least monitored or controlled. The Privileged Identity Management Suite v5.0 creates a centralised point of control for enterprises to achieve exceptional security, streamline updates, enhance maintenance, and ensure compliance with regulations and security best practices across all types of privileged accounts.

Core to the Privileged Identity Management Suite v5.0 is Cyber-Ark’s patented Digital Vault® technology that provides the underlying security capabilities for authentication, encryption, tamper-proof audit and data protection. The Suite easily integrates with existing enterprise systems and can protect and manage hundreds of thousands of passwords across highly heterogeneous environments. The simple, easy-to-deploy web-based interface supports rapid user adoption and presents a consistent, consolidated view of privileged accounts and sessions. Additional features and functionality include:
  • New Out-of-the-Box SAP Plug-In: The new plug-in for SAP Application Server supports automatic management including change, verification and reconciliation of select SAP accounts. As awareness of the power of privileged users moves up the stack to the application layer, Cyber-Ark can now protect access to key business suites the way it does for other assets like servers, routers and databases.
  • Hardware Security Modules (HSM) Support: The Privileged Identity Management Suite integrates with HSM tools and provides a new means for protecting its encryption keys within a secure device. With this integration, instead of having to store keys on a CD, organisations can now store keys as non-exportable.
  • Enterprise Integration – Security Information and Event Management (SIEM): The Privileged Identity Management Suite easily integrates with SIEM tools to create a complete audit picture of privileged account activities. Anything that happens in the Digital Vault can be sent as audit logs to the SIEM tool.
Cyber-Ark will be hosting a webinar at 2:00 p.m. EDT time on Tuesday, March 24 to provide an in-depth overview of new Privileged Identity Management Suite v5.0 features and functionality. To register, visit

Pricing and Availability

The Cyber-Ark Privileged Identity Management Suite v5.0 is available now. The Enterprise Password Vault, Application Identity Manager and Privileged Session Manager are off-the-shelf solutions that can be purchased separately, or together as the full Suite. For more information about pricing, please contact or call +44 (0)11 890 01470.

Cyber-Ark® Software
is a global information security company that specializes in protecting highly-sensitive enterprise data, restricted user accounts and passwords to improve compliance, productivity and protect organizations against insider threats. With its award-winning Privileged Identity Management (PIM) and Highly-Sensitive Information Management software, systems and network administrators can more effectively manage and govern application access while demonstrating returns on security investments to the C-suite. Cyber-Ark works with 500 global customers, including more than 35 percent of the Fortune 50. Headquartered in Newton, Mass., Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit

Yvonne Eskenzi, Eskenzi PR

Are the powers that be afraid of the Blogger?

You bet your life that they are

by Michael Smith

While, at least in say the USA, Canada, Britain and other such countries they try to pretend that they are not, and also pretend that they actually welcome the activities of the citizen journalist and Blogger, the truth is that they, that is the powers that be, are running scared.

The same is true with regards to the established media, the likes of what once was Fleet Street, though thy no longer “live” there, and its “professional” journalists. Hence also the fact that Bloggers are not, as yet, welcome to join the NUJ and the IUJ.

While many – by now nigh on all, in fact – newspapers and other media outlets have an online presence, often with Blogs, they still are in no way happy with Bloggers who run their own online publications.

Though it may be true that there are even some good commercial outfits out there that are just online and who have come, basically, out of the field of Blogging, and the Blogging community, such as Grist and especially the Huffington Post, most in the media are still stuck in the old way.. This, by the way, also goes for many of the PR companies, though not those that I deal with most of the time.

Italy recently, basically, went as far as, at least some judges did, declaring that all Italian operated Blogs and all Italian Bloggers as illegal, as under an obscure law from just after WWII only government licensed media are permitted.

So far the government of Italy has not taken any steps, as yet, but we hear a lot of clamoring from the EU and its member states about the need to police and regulate the activities of online social media and networks. This, to me, is proof enough that the powers that be are running rather scared of Bloggers.

Where is this going to lead?

We, who are Bloggers, who are citizen journalists, or freelance journalists running Blogs, and out readers too and especially must stand up against this blatant attempt of censorship.

Support the Net Freedom Foundation and in any other way possible stand up for a free Internet and for the freedom to run your own publications, whether online or in print.

Blogs are the greatest “upset” tot he established media and the establishment and are a revolution much like the invention of the Gutenberg printing press with the movable type in 1448.

In the same way that the Gutenberg press liberated Europe from the Dark Ages, basically, so does the Internet and Blogs and citizen journalists liberate the world, yet again. Problem, as far as the powers that be are concerned is that the Internet and Blogs and all the other ways of publishing and printing from home via PC is, upsetting the status quo and there control over the media.

The printing press provided a powerful demonstration of how new communications systems, when leveraged socially, can topple once unassailable empires of received truth. And this is where the “problem”, so to speak, lies as far as the powers that be and Blogs and Bloggers and citizen journalists per se are concerned.

Blogging, especially as a means to informing and of bringing forth discussion and such, as well as other social online media, it would appear, are seen by the powers that be as something that threatens them as just those very empires of “truths”, with the established media, in the main owned by members pf one very influential lobbying group, in the forefront of those that are running scared and that is why the governments, some overt some covert, try to curb the activities of Blogger and Blogs.

I mean we cannot possible allow to have people who think and analyze events and while doing so come to a different conclusion than the established media and then report such thoughts and analysis to a wide audience on the Web. This just cannot be allowed now, can it?

© M Smith (Veshengro), 2009

Xtraordinary Hosting Selects Interxion

LONDON, March 2009 – Interxion, a leading European operator of carrier-neutral data centres, has been selected by Xtraordinary Hosting, a managed hosting services provider, to provide secure, connected infrastructure to support growth for the company and its customers.

Xtraordinary Hosting offers a range of managed hosting services aimed at small to medium size enterprises. The company was founded in Scotland in 2001 and has grown steadily since then. It chose to locate its London operations in Interxion’s London City site, where it can enjoy quick access to the City and direct connectivity with 28 carriers and ISPs, including the LINX London Internet Exchange.

“We work with a number of companies that are at the forefront of hi-tech e-commerce and it is crucial that we offer them the most resilient bandwidth and the lowest possible latency,” said Andrew Ogilvie, Xtraordinary Hosting CEO.

“Interxion was the only organisation within the city with 5KW cabinets available as standard, spare capacity for future growth, and diversity of power, as well as a quality track record that we are pleased to share with our customers.”

The Interxion London City data centre has been expanded a number of times in recent years in order to meet growing customer demand. The latest expansion – 400m² of equipped space, on schedule for completion in Q1 2009 - will have access to the data centre’s 13 megawatt power supply, allowing it to deliver exceptionally high density power configurations of up to 17.5 kW per cabinet position.

“Over the past year we have seen more and more companies migrating to Interxion because we can better meet their growing requirements for power and cooling capacity, connectivity and operational resiliency,” said Greg McCullough, Interxion UK MD. “This, combined with our central location, makes Interxion an ideal choice for quality-focused enterprise-oriented organisations such as Xtraordinary Hosting.”

Interxion is a leading European provider of carrier-neutral data centres. Headquartered in Schiphol-Rijk, The Netherlands, Interxion serves its customers from 24 carrier-neutral data centres located in 13 cities across 11 European countries. Interxion serves network and carrier-based, hosting and enterprise customers who require professionally managed and strictly controlled physical environments within which to operate mission-critical applications and computer systems. Interxion’s data centres offer cost-effective and fast access to multiple local and global communication networks.

Founded in 2001 with a mission to enhance service standards for SME customers in the UK hosting industry Xtraordinary Hosting operates its own multi-homed network (AS30827), a member of LINX plus direct connections to Tier-1 networks. The company is an innovative early adopter in niche technology areas to help customers gain and retain competitive advantage. Current examples include Xen virtualisation and hosting for Atlassian Wiki & JIRA, Zimbra collaboration suite and open source Magento Ecommerce. At Xtraordinary Hosting reliability is derived from rigorous evaluation of suppliers: bandwidth, datacentres, network equipment, servers, software, and infrastructure.

Source: Spreckley Partners Limited

Managing the Mergers & Acquisitions IT Nightmare in the Firewall Team

David Amnizade, Director Northern Europe, Tufin Technologies

Your boss steps into your office and announces: “I’ve got good news and bad news… The good news is that we’ve just acquired our largest competitor. The bad news is that we now need to manage all of their firewalls.” An increasing number of security managers are faced with the challenge of absorbing and integrating an external organization’s IT staff, their existing firewall infrastructure, and whatever data, rules and policies they had in place prior to the merger or acquisition. In some cases, security architects are asked to quickly audit an organization’s existing firewall estate, and find the potential risks contained in it as part of a due-diligence process. Once the due diligence is done and the deal is signed, IT organizations usually face a very tight schedule for the integration of the combined infrastructure.

Breaking it down
What’s the big deal merging two IT security departments from different organizations? For starters, the infrastructure may be completely different, starting with the firewall vendor. Unlike other markets, no single vendor dominates the firewall market – with main players including Check Point, Juniper, Cisco, and Fortinet, and several additional smaller vendors in the mix as well. Working with a single vendor certainly makes life easier; however, the reality is that larger organizations do not. When managing multiple vendors, it’s critical to have some way of centrally reporting, auditing and logging for all of the firewalls in order to enforce corporate-wide policies, and make sure that a tight ship is being run.

In the interest of order and easy management, some companies select a single-vendor approach and decide, over time, to replace any other firewall vendor by their vendor of choice. This approach eventually results in tight central management, but requires a long interim period of multi-vendor management, as well as the additional costs of firewall migration.

The second major challenge is integration — in addition to being a large, time consuming project, it’s a potential “can of worms” in the form of existing change processes and firewall rules. If a unique set of security policies and criteria have been developed, security/firewall administrators will need to analyze the newly inherited firewall configurations, clean up all of the holes and misconfigurations that are found, and align processes with the current standard.

Merging Firewall Estates – Step by Step Approach
Whether the merger has already taken place or is still in the due diligence phase, there are a series of steps that one can follow to ease this transition and make it as effective and smooth as possible.

1. Collect baseline audit reports that assess the health of the acquired firewalls. A good automated report will check if firewalls conform to industry best practices including recommended basic security settings and correct software versions. This is especially important if the acquired infrastructure is from a different firewall vendor than the one currently being used. An automated firewall management solution will be able to check best-practice settings for every vendor and even convert and apply settings to the new infrastructure.

2. Streamline and cleanup the acquired rule bases. To do this well, run automated Rule Usage Reports for several weeks to collect data and identify unused rules and objects – this will give a good indication on rules and objects that are no longer needed from a business perspective, and are candidates for removal (discuss this with the existing firewall team to ensure that special rules that are only used once a year aren’t deleted.)

3. Perform comprehensive risk analysis. Once there is some familiarity with the new rule bases, actively check the policy for compliance with critical elements of corporate security policy. For example – what connections are allowed from DMZ’s into internal networks? Are there any unauthenticated connections allowed from the outside? How are sensitive databases protected?

4. Maintain compliance in real time. As the firewall team makes configuration changes on a daily basis, stay on top of the changes and ensure ongoing compliance with security policies. Import the security alerts that are defined for the existing infrastructure to include the new firewalls.

5. Implement ongoing change tracking and monitoring. Extend the current tracking and reporting system to include the new firewalls and monitor them as an integral part of the security infrastructure.

Mergers and acquisitions usually involve business decisions that you have no control over, yet the amount of IT-related work that results from them is immense. If you’re managing firewalls for an organization that is about to merge with or acquire another company, you’re probably facing a very busy and intense period that will last anywhere from several months, to over a year. You can manage the process and simplify the transition by applying a consistent approach, and by using automated tools that will save you a lot of time and effort.

Tufin Technologies is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Courtesy: Infosecurity PR