by Michael Smith (Veshengro)
28 April 2009, London, UK: The Stonewood Group, the leading hardware encryption technology pioneer, is exhibiting its newly accredited Eclypt Range of products for the first time at this year’s Infosecurity Europe. The hardware encrypted internal drives and USB disks are approved by the British Government for up to Top Secret information, making high level data security available to businesses and consumers alike.
The Eclypt range, which includes internal and external drives, received Her Majesty’s Government CAPS (CESG-Approved Product Scheme) accreditation making Stonewood’s Eclypt range the only CAPS approved USB storage device and the only devices available that reduce the protective marking of data at rest by two levels from Top Secret to Confidential and Secret to Restricted.
Chris McIntosh, Stonewood CEO said, “We are really excited to be exhibiting our newly accredited Eclypt range for the first time. We want to impress on Infosecurity’s delegates that there is no longer any excuse for data loss from any private or public sector organisation at any time because for the first time affordable, accessible, accredited hardware technology is available to all.”
This breakthrough comes at a time when a survey by GFK NoP survey on behalf of the Stonewood Group shows British Public calling for accountability. Eighty-nine per cent of those surveyed felt that negligence leading to data loss should become a criminal offence.
The three-day event attracts visitors from a broad range of industries and is seen as an important date in the calendar for Information Security professionals across Europe.
Let us but hope that the likes of the British government and the military will get some of those in order to secure their data in transit. Up to now it has been more than a joke and Britain is the laughing stock of Europe as far as data security and the government is concerned.
Stonewood can be found at booth H 42 at Infosecurity 2009 from 28 – 30 April 2009, Earls Court, London, UK.
© 2009
<>
Stonewood's HM Government CAPS Accredited Eclypt Range Shown for the first time at Infosecurity Europe
Survey reveals a third of workers can be bribed
by Michael Smith (Veshengro)
Would you sell your company’s secrets to a stranger for a million pounds?
That was the exact question that was put to 600 commuters recently at busy London railway stations and more than a third (37%) admitted that they would give over their company’s secrets for the right price.
Researchers from Infosecurity Europe – Europe’s largest IT security event which takes place next week, asked workers what it would take to tempt them to download and hand over sensitive company information to a stranger, offering incentives ranging from a ‘slap up meal’ to offers of over ten million pounds.
Of the 37% of workers who could be corrupted 63% would only hand over sensitive data for at least one million pounds, 10% would do it if their mortgage was paid off, 5% would do it for a holiday, 4% for getting rid of their credit card debt and 5% would do it for a new job. The surprised researchers couldn’t believe their ears when 2% of the workers admitted that they would hand over their company’s crown jewels just for a free slap up meal.
The types of information that the workers had access to included customer data bases (83%); Business Plans (72%); Accounting Systems (53%); Human Resources data bases (51%); and IT Admin Passwords (37%).
Two thirds (68%) of employees think it is easy to sneak information out of their organisation and 88% of employees thought that the information that they had access to was valuable. More than half of the workers in the survey (55%) said they were more worried about losing their jobs than they were this time a year ago.
Employee loyalty has changed too with a third saying they felt a lot less loyalty to their employers than a year ago, however 5% were more loyal as they felt they had job security.
“It’s quite staggering that a third of people are open to bribery, although it’s encouraging that 63% of workers are honest and wouldn’t give anything away not even for a million pounds! However, you can’t count on people’s honesty to protect the assets of company, it’s down to an organisation to take steps to ensure their most valuable assets are locked down and protected, especially confidential customer data”, said Tamar Beck, Group Event Director, Infosecurity Europe. “Criminals are very adept at finding the vulnerable workers who can be tempted into betraying their employers, therefore, organisations should ensure that they have trained their people to protect sensitive information and have adequate technology and processes in place to help them enforce security policies that comply with current regulation and legislation.”
When the information asked for changed to credit card information, account details or security codes then employees became harder to tempt with 80% refusing to take the risk and wouldn’t provide this information at any price. For the 20% of employees who would pass on credit card information, account details or security codes, 68% would only do it for a million pounds, 7% if their mortgage was paid off, and 15% for paying off their credit cards.
To say that such finding be worrying would be more than an understatement. I wonder what answers we would get if we would ask people that have access to this country's secrets. I would not be surprised if the replies there, especially amongst the “ordinary” staff, would be the same. This does not bode well for your and my personal data that is held here and there and accessible by call center staff working for the various agencies. No wonder, therefore, that identities are being cloned at an alarming rate.
Infosecurity Europe is the event that enables organisations to prepare for the potential onslaught on their information systems, it plays host to Europe's largest FREE educational programme where visitors have the opportunity to listen to a fantastic range of 150 experts including the David Blunkett MP who will give the Opening Address on the Rapidly Changing Face of Cybersecurity – What Dangers For 2012. Lord Erroll will lead a keynote which looks at Who Got Caught Out in the Last 12 months and Dr. Nigel P Brown, from the Cabinet Office will lead a debate on the impact of the Global Credit Crunch on the Information Security Market. Lynn Lawton, International President for ISACA, will lead a discussion of the role that information security has in governance, risk & compliance; and James Brokenshire MP, will investigate the Dynamics of e-Crime. The panel on Externalisation features CISOs from Astra Zeneca; Eli Lilly; and BP.
Infosecurity Europe, running for its 14th year is Europe’s number one Information Security event. Featuring over 300 exhibitors, the most diverse range of new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe. Infosecurity Europe runs from the 28th – 30th April 2009, in its new venue Earls Court, London.
To register to attend or for more information please visit www.infosec.co.uk
© 2009
<>
SRM to extend its Risk Management service portfolio with acquisition of InfoSec Associates
Acquisition gives SRM complete range of solutions and helps Company move into top tier of security consultancy firms
SRM, a specialist provider of Operational Risk Management services, has today announced that it has acquired InfoSec Associates, one of the UK's leading Information Assurance consultancy firms. As a result, SRM will be expanding its service portfolio in a number of key Information Assurance disciplines, including Business Continuity Management and Information Security Management.
SRM already offers a wide range of consultancy services in the areas of information risk management and secure IT service delivery. The acquisition of InfoSec Associates, however, will further enhance SRM's work with industry best practice in the fast-growing area of Information Assurance. Following this move, SRM will now be able to provide specialist support to Information Governance and Chief Information Officers, and also for companies that require board level support, but lack the resources for a permanent placement.
"Despite today's challenging economic climate, we are continuing to grow steadily, with new offices now open in Tyne and Wear, an ongoing national recruitment campaign, and now this acquisition of Infosec Associates," says Stephen Brown, SRM's Managing Director, "The skills and experience of the consultants at Infosec are exceptional; they will not only make a great addition to our team, but will also support our continued growth by helping to extend and improve our service portfolio for our clients."
"It makes good business sense for our two companies to join forces, since all of our clients will now be able to rationalise their projects by procuring related services through one service provider – and that's the key to delivering better value for our clients," adds Tom Fairfax, a Principal Consultant from InfoSec Associates. "With its vast expertise within the Operational Risk area, SRM has both managed and reduced risk for their clients with amazing success. We are delighted to be joining their highly skilled team."
Having recently become an accredited QSA company for the Payment Card Industry's Qualified Security Assessment (PCI QSA), this latest acquisition further enhances the extensive range of services that SRM already offers, and thus provides businesses with a comprehensive 'one-stop shop' for all of their security needs. In addition to Information Assurance services, SRM also provides its SME and corporate customers with a wide range of risk management solutions, including pre-employment screening, information security, business continuity, and standards compliance.
SRM will be at the Infosecurity Exhibition in April 2009 at Earl's Court, London, appearing on Stand H41.
Established by security professionals formerly within the private sector, the Police service and other government agencies, Security Risk Management Ltd offers an unrivalled range of best practice Operational Risk Management services to ensure effective assurance and mitigating risk within a company’s infrastructure. SRM offers services including: Risk Management, Information Security Management Services, Enterprise Examinations, Business Continuity, Corporate Investigations, Personnel Screening, ISO27001 Implementations and specialised training. For more information please visit www.srm-solutions.com
<>
NHS Grampian laptop theft highlights need for data vaulting
Cyber-Ark says NHS Grampian laptop theft highlights need for private data to be securely data vaulted
Cyber-Ark, the digital data vaulting specialist, say the theft of a laptop from Aberdeen Royal Infirmary recently, which contained the details of more than 1,300 patients, could have been avoided.
"This incident, involving a laptop stolen from a locked office, smacks of poor security policies at the NHS authority," said Mark Fulbrook, Cyber-Ark's UK and Ireland director.
"Granted, the laptop was protected using a standard Windows password, but this level of security can easily be circumvented by an IT professional. You have to question why the data was stored on unencrypted basis on the computer in the first place," he added.
According to Fulbrook, patient data of this type should never have been stored on a portable computing device, but stored instead on a computer server in encrypted format, accessible to laptop users on a remote - and encrypted - VPN basis.
Using this approach, with the master passwords only accessible to a few senior offices using a data vaulting approach, would mean that access to the patient data was available on a fully audit logged and authenticated basis.
The fact that data was on patients with an inflammatory bowel problem, he went on to say, is all the more embarrassing for the patients concerned, who will now be worried about their friends and colleagues discovering their unfortunate problem.
Worrying about medical problems being revealed, he explained, are potentially much more embarrassing than almost any other issues being made public, and the fact that these types of diseases are often made worse by stress is really bad news for the patients concerned.
"Not only will the patients affected by this laptop theft be worried about their data being made public, but the worry of the situation could actually make their problems worse," he said.
"The fact that the problem was totally avoidable makes this data loss situation a lose-lose event for all concerned," he added.
For more on the Aberdeen NHS laptop theft fiasco: http://preview.tinyurl.com/dmm9hx
For more on Cyber-Ark: http://www.cyber-ark.com
Source: Eskenzi PR
<>
Tony Blair's hacked Facebook profile has a serious message
The fact that former British Prime Minister Tony Blair's profile page on Facebook has been hacked may bring a wry smile to many political and security industry observers but, says Fortify Software, the application vulnerability specialist, there is a more serious message behind the page hack fallout.
"Reports suggest that Tony Blair's Faith Foundation Facebook page has been defaced with references to Martin Sheen, the actor who played the US President in the TV drama The West Wing," said Richard Kirk, Fortify's European Director.
"The fact that his page was hackable, however, highlights the need to include code auditing in the software development process, something that whoever created the Facebook application used by the Faith Foundation appears to have overlooked," he added.
According to Kirk, the sheer weight of hacking activity on Web portals in general means that any company planning to show its Web pages to the public on the Internet - and that includes most firms - must now carefully code audit their pages and any applications used on the Internet.
This especially applies to Web 2.0 services like Facebook, he says, where the extensible nature of the Internet environment allows users to program their own applets for use on the service.
"We have reached the stage where interactivity is king on the Internet, but it also brings with it the potentially serious problem of IT security. Web 2.0 significantly changes the security paradigm," he said.
"Anyone coding software that includes any element of Internet interaction, and not just Web 2.0 environments, needs to be aware of the risks, and the fact that hackers are every bit as code-savvy as they are, if not more so," he added.
For more on the Tony Blair Facebook hack: http://tinyurl.com/cnbndb
For more on Fortify Software: http://www.fortify.com
Source: Eskenzi PR
<>
IT experts say Czech summit data leak should not have happened
Czech summit data leak should not have happened says Credant
The data leak at the EU/US summit which has just recently taken place in the Czech Republic – and which has reportedly resulted in Finland's Prime Minister changing his passport – should not have happened, says Credant Technologies, the military grade encryption specialist.
"For this data leak - apparently through a hotel computer - to have happened at such a high level event is severely embarrassing for the Czech government, but you really do have to ask yourself why the data wasn't encrypted from prying eyes," said Michael Callahan, Credant's senior vice president.
"The situation has become sufficiently serious for the Czech Office for the Protection of Personal Data to start an investigation, but this is too late, as the leak could mean the personal data on the 200 participants at this high level event has fallen into the hands of terrorists," he added.
According to Callahan, it is now almost certain that the US government security agencies have gone into overdrive following the data leakage, since President Obama - along with the highest representatives of all 27 European Union countries - attended the informal summit.
Igor Nemec, director of the Czech data protection office, has been quoted that the offenders behind the data loss will be fined if they are tracked down but, says Credant, the culprits are unlikely to be caught at this late stage.
This is, says Callahan, political posturing on the part of a highly embarrassed Czech government.
The sad fact is, he explained, that had the data been encrypted and accessed only on an authenticated need-to-know basis by specific individuals, then the leak would simply not have happened.
The fiasco, he says, only serves to boost European's security image - or rather lack of it - in US security circles.
"With the flight details and passport numbers of around 200 of the world's highest ranking officials having apparently walked out of the hotel door, this is a security faux pas situation of the highest order," said Callahan.
"Heads will undoubtedly roll because of this data leak, but the case brings home the fact that no-one is immune to stupidity. Anyone involved with the storage of private data should take note of this fiasco and improve their own data security as a result," he added.
For more on the Czech data leak fiasco: http://preview.tinyurl.com/c7mbno
For more on Credant Technologies: http://www.credant.com
Source: Eskenzi PR
<>
Finjan Discovers 1.9 Million Corporate and Government Computers Controlled by Cybercriminals
Finjan Discovers a Network of 1.9 Million Malware-Infected Computers Controlled by Cybercriminals - Corporate and Government Computers Are Included
Findings show that the UK and the US top the list with the highest number of infected computers
Farnborough, United Kingdom, 22nd April 2009 – Finjan Inc., a leader in secure web gateway products and the provider of unified web security solutions for the enterprise market, announced that Finjan’s Malicious Code Research Center (MCRC) has discovered a network of 1.9 million malware-infected computers. Corporate, government and consumer computers around the world were infected by the malware.
This discovery is part of a research conducted by MCRC when investigating command and control servers operated by cybercriminals. The cybercrime server has been in use since February 2009, is hosted in the Ukraine and is controlled by a cybergang of 6 people. These cybercriminals established a vast affiliation network across the Web to successfully distribute and operate their malware install-base. They compromised computers in 77 government-owned domains (.gov) from the UK, US and various other countries.
The malware is remotely controlled by the cybercriminals, enabling them to instruct the malware to execute almost any command on the end-user computer as they see fit, such as: reading emails, copying files, recording keystrokes, sending spam, making screenshots, etc.
Since the discovery of its findings, Finjan has provided UK and US law enforcement with information about the server. Finjan has also contacted affected corporate and government agencies to let them know that they were part of the infected computer names.
“As predicted by Finjan at the end of last year, cybercriminals keep on looking for improved methods to distribute their malware and Trojans are winning the race. The sophistication of the malware and the staggering amount of infected computers proves that cybergangs are raising the bar,” said Yuval Ben-Itzhak, CTO of Finjan. ”As big money drives today’s cybercrime activities, organizations and corporations need to protect their valuable data to prevent theft by these kind of sophisticated cyberattacks.”
The research also revealed that the malware is installed on computers when visiting compromised websites serving malicious code. Information found by MCRC on the command and control server includes the IP addresses of the infected computers as well as the computers’ name inside corporate and government networks that are running the malware.
The global spread of infected computers in percentages is as follows:
· US: 45%
· UK: 6%
· Canada: 4%
· Germany: 4%
· France: 3%
· Other: 38%
The malware is infecting computers running the Windows XP operating system and using the following Web browsers:
· Internet Explorer - 78%
· Firefox - 15%
· Opera - 3%
· Safari - 1%
· Other - 3%
As recommended by leading analysts, a unified Web security solution is the preferred solution for corporate and government agencies against today’s cyber attacks. Finjan’s Unified Secure Web Gateway product combines multi-layered Web security, utilizing real-time content inspection technologies, with data leakage prevention (DLP) solutions. Finjan’s product also provides Web 2.0, productivity, liability and bandwidth control via URL categorization, content caching and applications control technologies on one dedicated appliance. This enables companies and governmental agencies alike to enjoy optimal multi-layered protection in real-time, with lower Total Cost of Ownership (TCO) and higher Return on Investment (ROI).
Screenshots and examples taken from the command and control server can be found on Finjan’s MCRC blog post at: www.finjan.com/mcrcblog
Finjan’s team will be available for questions regarding the discovery at Infosecurity Europe conference, Earls Court, London, UK on 28-30 April (Booth H20, Hall EC1). Finjan also invites you to come to the Business Strategy Theatre, when Finjan’s UK Regional Director Mr. Tim Warner will hold the seminar “How Organisations can protect themselves against the current Cybergeddon” on Wednesday April 29, starting at 15:20 hrs.
Finjan’s Malicious Code Research Center (MCRC) specializes in the detection, analysis and research of web threats, including Crimeware, Web 2.0 attacks, Trojans and other forms of malware. Its goal is to be ahead of hackers and cybercriminals, who are attempting to exploit flaws in computer platforms and applications for their profit. In order to protect Finjan’s customers from the next Crimeware wave and emerging malware and attack vectors, MCRC is a driving force behind the development of Finjan's next generation of security technologies used in its unified Secure Web Gateway solutions. For more information please also visit MCRC’s info center and blog.
Finjan is a leading provider of secure web gateway solutions for the enterprise market. Finjan Secure Web Gateway provides organizations with a unified web security solution combining productivity, liability and bandwidth control via URL categorization, content caching and applications control technologies. Crimeware, malware and data leakage are proactively prevented via patented active real-time content inspection technologies and optional anti-virus modules. Powerful central management enables intuitive task-based policy management, excellent drill-down reporting capabilities and easy directory integration for all network implementation options. By integrating several security engines in a single dedicated appliance, Finjan’s comprehensive and integrated web security solution enables quick deployment, simplified management and reduction of costs. Business benefits include real-time web security (no patches or updates needed), lower total cost of ownership (TCO), cost savings in administration efforts, lower maintenance costs, and reduction in loss of productivity. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit: www.finjan.com.
Neil Stinchcombe
Eskenzi PR
<>
Optenet to Provide Complimentary Web Filtering Solution to Infosec Attendees
Socially Responsible Organisation to Give Away Free WebFilter PC Solution Worth €39 on Stand H82
London UK, April 21 2009 - Optenet, a global IT security company and provider of high-performance content filtering solutions, will be providing free, one-year licenses for its popular Optenet WebFilter PC product to delegates at Infosecurity Europe 2009.
Optenet first undertook such an initiative to support February’s Safer Internet Day – the annual event to promote safe and responsible use of online technologies particularly among children – where free versions of WebFilter could be downloaded from its website.
Optenet has been prompted to repeat this offer by the alarming rise in Cyber-bullying among children and adolescents through interactive technologies (online games, emails, Internet forums, text messaging, mobile and other electronic devices). Optenet’s WebFilter PC helps parents monitor their children’s Web browsing activity at home and avoid cases of online harassment. Visitors to Optenet’s stand (H82) during the show will receive a complimentary one-year license worth €39.
“Providing free copies of Optenet’s WebFilter PC is a significant step towards protecting children online, in conjunction with awareness and education of the problem itself,” says Optenet’s Regional Director Northern Europe, Kevin Roberts. “We are firmly committed to the protection of surfers of all ages. As an organisation, we cooperate with and support the efforts of the European Commission, as evidenced by our collaboration with CEOP in the UK and recent activity around February’s Safer Internet Day.”
Infosecurity Europe 2009 is taking place at London’s Earls Court exhibition centre from April 28-30.
Optenet is a global IT security company that provides high-performance content filtering solutions to service providers and large enterprises worldwide. Optenet’s technology protects 75 million end users around the globe, including the customers of many of the world’s leading ISPs and mobile operators, as well as employees of global enterprise organizations. The Company is a socially conscious organization, committed to eliminating illegal content on the Internet, protecting children and supporting government agencies and non-profit organizations that share the same goal. For more information, visit www.optenet.com.
Rise in Unisys Security Index sets the scene for Infosecurity Europe
London, 20th April 2009 - The organisers of the Infosecurity Europe show, which takes place in London next week, say that increased consumer worries over ID theft and fraud need to be addressed by the IT security industry.
"The latest Unisys Security Index for Internet security shows that worries about ID theft and online fraud is soaring, as reports of electronic fraud continue to hit the headlines," said Tamar Beck, Group Event Director, Infosecurity Europe, "The index confirms industry observations that criminals are increasingly moving online, which explains why 69 per cent of UK consumers say they are concerned about computer security, with 65 per cent worried about their safety and security when banking or shopping online," she added.
According to Beck, the latest edition of the twice-yearly analysis of European attitudes towards a variety of security topics makes for interesting reading, not least because 72 per cent of UK citizens say they are at greater risk from identity theft and related crimes such as credit card fraud, as a result of the economic downturn.
The economic downturn, he explained, has undoubtedly forced cybercriminals to diversify into new areas of fraud, and this trend is one that will be discussed by a leading team of professionals at the Infosecurity show in London later this month.
The show organisers have assembled several of the industry's leading figures in IT to discuss the latest trends on cybercrime, as well as explain to audiences how to better protect their IT resources from the ensuing problems.
Speakers lined up to keynote at next week's IT security event include Jeff Brooker, Head of Security & Business Continuity with HMRC who, along with Julia Harris, Head of Information Security with BBC Future Media & Technology, will be looking at who got caught out on the IT security front in the last 12 months.
Charlie McMurdie, Detective Superintendent with the Police Central e- crime Unit of New Scotland Yard - along with Philip Virgo, Secretary General of EURIM and the RT Hon Alun Michael, MP - meanwhile, will be looking at who should police the global Internet and who is ultimately responsible for Internet crimes.
It's against the backdrop of the increased Unisys Security Index that professionals should be encouraged to attend the Infosecurity Europe event, which offers one the UK's largest free education programmes on Information security issues.
"We have assembled some of the UK and Europe's finest professionals to explain to IT and business managers how they can better protect their company IT resources," said Beck.
"At this time of economic uncertainty, good advice is always to be welcomed, and the fact that this advice is being offered free of charge, makes Infosecurity Europe a must-attend event for anyone concerned about the rise in cybercrime worries," she added.
Infosecurity Europe, running for its 14th year in 2009, is Europe’s number one Information Security event. Featuring over 300 exhibitors, the most diverse range of new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe. Infosecurity Europe is one of five Infosecurity events around the world with events also running in Belgium, Netherlands, Russia, and France. Infosecurity Europe runs from the 28th – 30th April 2009, in its new venue Earls Court, London.
To register to attend or for more information please visit www.infosec.co.uk
For more on the Unisys Security Index: http://preview.tinyurl.com/dxfc3z
© Infosecurity PR
<>
Interxion Announces Platinum Sponsorship of Datacenter Transformation Summit
Interxion, a leading European operator of carrier-neutral data centers, today announced its Platinum Sponsorship of The Datacenter Transformation Summit (www.dtsummit.com). The event will take place on 28th April 2009 at the Dulles Hyatt in Herndon, Virginia, USA. The summit, held by analyst group Tier 1 Research, aims to provide unique insights into the datacenter decision-making process. Delegates come together to learn, network and map out strategies in conjunction with Tier1 Research’s Datacenter Strategies team.
As part of the company’s support for the event, Interxion Group MD Anthony Foy will be speaking on the topic of Cloud Computing, discussing how carrier neutral datacenters can be leveraged to optimise the delivery of Cloud computing services . Anthony will also take the opportunity to highlight the importance of a reliable network infrastructure for Cloud computing and how organisations can build highly resilient, scalable Cloud Computing environments data center.
“The Datacenter Transformation Summit brings together a range of professionals from data center architects and industry visionaries, to data center operators and managers, and it enables us to discuss the latest trends and technologies with our peers in the industry,” said Anthony Foy, Interxion Group Managing Director. “Our participation in this event illustrates our dedication to working with industry experts to ensure efficient and reliable data center design and management. We look forward to continuing to support the work of Tier 1 Research in the data center field.”
Interxion is a leading European provider of carrier-neutral data centers. Headquartered in Schiphol-Rijk, The Netherlands, Interxion serves its customers from 24 carrier-neutral data centers located in 13 cities across 11 European countries. Interxion serves network and carrier-based, hosting and enterprise customers who require professionally managed and strictly controlled physical environments within which to operate mission-critical applications and computer systems. Interxion’s data centers offer cost-effective and fast access to multiple local and global communication networks.
For more information please visit www.interxion.com
Source: Spreckley Partners
<>
Experts say PIN cracker situation a result of weak security practices
PIN cracker situation a result of weak security practices says Credant
Revelations that hackers have discovered a method of cracking PINs from payment cards as they travel from an ATM to a banking computer are the direct result of sloppy security practices, says Credant Technologies, the military grade encryption specialist.
"The report, from Verizon Business, claims to show that criminal fraudsters are intercepting the weakest links in the multi-hop network path between one bank's ATM and the home network of the card being used," said Michael Callahan, Credant's senior vice president.
"The fraudsters appear to have realised that each HSM (hardware security module) at each 'stop' on the transaction authorisation route has to decrypt the PIN and its associated card data string and then re-encrypt the data stream using its own algorithms for next leg," he added.
According to Callahan, with card ATM-to-bank-computer routes typically traversing several network hops - especially in North America – this can give the fraudsters a chance to take advantage of a smaller bank's HSM security.
What many people overlook, he says, is that the branding of various ATMs - Cirrus, Visa, MasterCard etc - is just that, a brand, and the convoluted path a card authorisation and transaction request can make is hidden from the cardholder's view.
All is not lost, he explained, as it is perfectly possible for a bank - or group of banks - to encrypt the PIN and other security data at the ATM end of the link, and then further encrypt the data string for each leg of its journey, as required by the banking network.
This means, he says, that if the origin data is encrypted to a very high level, when the data is decrypted at its destination HSM, it can be further decrypted before being handed on to the relevant bank computers.
"Double levels of encryption are nothing new in high level security circles. It's a shame that the banks appear to have overlooked this issue when designing their ATM networks," he said. "There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so ensuring their cardholders are safe from this new type of hacking exploit," he added.
For more on the weakest link in the ATM chain story: http://tinyurl.com/c8uag9
http://www.credant.com
In other words, the fraudsters have gotten wise while the banks and others haven't, as yet. The cameras and other equipment that was required – and some still use it so don't drop your guard as yet, folks – to be installed at the ATMs in order to collect card number and PIN and such could be spotted and it was a risky business to install them. Now they seem to have found a much easier way.
Vigilance on the user's side is one thing and sometime that is the weakest link. Alas, it would appear that, while users may be getting wiser too sloppy security practices of the institutions themselves are at fault for PINs and other data falling into the wrong hands.
As it has been described by the people from Credant, it is not rocket science. The problem, as with most security programs, is that it costs money to implement such measures and that's where it all seems to fall flat every time and this not just as far as PINs and other banking data are concerned.
© 2009
<>
Automating Network Configuration Management and Ensuring Network Compliance, Security
By V Balasubramanian, Marketing Analyst, ManageEngine DeviceExpert, AdventNet Inc.
Modern enterprises depend on network availability for business continuity. In heterogeneous networks, administrators face numerous challenges in properly managing device configurations, carrying out changes, and in minimizing network downtime triggered by human errors. Ensuring that device configurations remain compliant to various standard practices and regulations could aid in minimizing network downtime and thereby help the network remain in top shape. Automating the Network Configuration Management is the means to achieve the above goal.
Networks form the backbone of the modern IT and other enterprises. The components of the backbone - the network infrastructure, are quite complex and varied with the presence of hundreds or even thousands of mission-critical edge devices such as switches, routers, firewalls and others from dozens of hardware vendors. Enterprises make huge investments on procuring network infrastructure and employ highly skilled professionals to manage and administer the network infrastructure. Typically, a few administrators manage a large infrastructure.
Managing the network is a challenging task as business continuity directly depends on network availability. Even a few minutes of network outage could have a rippling effect on the revenue stream as critical business services get affected. And as business needs grow, network complexity also grows up exponentially. The enterprise naturally puts the squeeze on the few network administrators mandating them with the responsibility of ensuring network availability. Not just network availability, but also ensuring security and reliability, optimizing performance, capacity and utilization of the network fall under the ambit of the administrators.
Business needs are in a constant state of flux and administrators are required to respond to the needs often by configuring the network devices, which is a sensitive and time-consuming task. It requires specialized knowledge, familiarity with all types of devices from different vendors, awareness on the impact of changes, precision and accuracy. Naturally, the highly skilled network administrators carry out the configuration changes.
Ironically, most of the configuration changes are repetitive, labor-intensive tasks - for instance, changing passwords and Access Control Lists. Yet, as even minor errors in configuration changes to the devices in production carry the risk of causing network outage, the skilled network administrators spend a significant part of their time on configuring the devices. They find it hard to concentrate on strategic network engineering and administration tasks.
Besides, with increasing security threats to mission-critical network resources and serious legal consequences of information mis-management, enterprises everywhere are required not just to follow standard practices, internal security policies, stringent Government regulations and industrial guidelines, but also demonstrate that the policies are enforced and network devices remain compliant to the policies defined. Ensuring compliance has become a priority for network administrators nowadays. This drives them take extra care while changing configurations.
Administrators also have to continuously monitor the changes carried out to the devices, as any unauthorized change can wreak havoc to the network.
It is evident that administrators face pressures from multiple angles; but, how do they normally manage configurations? Let us have a look at some of the traditional network configuration management practices:
- While carrying out changes, most of the administrators document the proposed changes. They login to each device separately and carry out the change. In case, the configuration changes are not successful, they will turn the configuration to the previous working state by undoing the changes as recorded by them in the documentation.
- In big enterprises with a large number of devices, the administrators cannot follow the 'change documentation' process. Instead, they develop custom scripts to push configurations to multiple devices. With the enormous diversity of hardware vendors, the administrators develop numerous custom scripts to suit the syntax of each device type.
- Some others juggle with fragmented tools to do specific tasks in configuration management. They correlate the output from each tool manually.
- Still worse, some administrators follow the haphazard way of carrying out changes to live equipment without any management plan. When errors in configuration cause network outage, they end up wishing that they could move the configuration back to a proper working version. They manually troubleshoot the cause.
- The manual way of configuring the devices suffer various disadvantages and serious limitations. The following are prominent among the many:
- The highly skilled network administrators spend most part of their precious time on doing repetitive, time-consuming configuration tasks. They get little time to focus on strategic network administration plans and tasks. This amounts to wastage of resource, cost and time.
- There is no provision to apply configuration changes in bulk to many devices at one go. Administrators have to logon to devices separately or at best execute many custom scripts to get the work done, which would be time consuming.
- Even simple tasks like rotating passwords of devices, viewing access lists etc. could prove uphill.
- As the number of devices grows, administrators find it difficult to respond to the business priorities that require frequent configuration changes. Possibilities of committing errors become bright.
- A trivial error in a configuration could have devastating effect on network security giving room for malicious hackers. The traditional approach has no provision to check configurations before deployment from the standpoint of security.
- Administrators lose track of configuration changes. As a result, configuration management becomes a daunting task. In the face of a network outage, troubleshooting becomes laborious. The mean time to repair (MTTR) climbs significantly.
- There is no way to control the access to device configurations based on user roles. No way to check/prevent unauthorized configuration changes either.
- The traditional practice has no scope to ensure accountability for user actions. When something goes wrong due to faulty configuration change or when a security breach occurs, it would not be possible to trace the actions to a particular individual in the absence of audit trails.
- There is no provision to monitor and ensure compliance to government regulations, industry best practices and standards.
Issues at a Glance
- Wastage of skilled resources in repetitive configuration tasks
- Administrators require lot of time to do configuration changes
- Troubleshooting in the face of outages becomes monumental
- No provision to monitor unauthorized changes, security and compliance
- Unable to keep track of configuration changes
- No centralized control
- Lack of accountability for actions
The Way Out
Conquering the complex, multifaceted operational and technological challenges of network configuration management is getting simpler nowadays with the availability of Network Change and Configuration Management (NCCM) solutions.
The NCCM solutions are designed to automate the entire lifecycle of device configuration management. The process of changing configurations, managing changes, ensuring compliance and security are all automated and the NCCM solutions prove to be powerful at the hands of network administrators.
Industry best practices such as Cisco’s ‘Gold Standard’ (which explains the recommended security settings for Cisco devices) and Government and other regulations such as HIPAA, Sarbanes-Oxley, EPHI, GLBA, PCI Data Security Requirements etc. prescribe a lot of ‘best practices’ . By complying to the best practices and compliance policies, enterprises can avoid most of the network security issues.
By leveraging NCCM solutions, administrators can automate the entire compliance monitoring process, which will happen at all levels - on demand, automatically at regular intervals and whenever a change happens. Violations would immediately be escalated to the security personnel. Besides, comprehensive compliance reports could be generated for submission to compliance auditors. In addition, in the case of violations, remediation tips will also be offered. During planned configuration changes, NCCM solutions help check the syntax of the configuration changes for correctness before uploading them to the device.
NCCM solutions will also help put in place both proactive and reactive configuration management strategies. Proactively, administrators can reduce manual errors and prevent unauthorized changes; when something goes wrong, they can react to the contingency within minutes by getting to the root cause or by rolling-back to the previous working version.
Automating NCCM will not only help Networks remain compliant to the policies, but also make the network remain in top shape. Compliance to best practices will just become a way of life.
With a good NCCM solution in place, enterprises can make best use of their network infrastructure. They can achieve increased network uptime and reduced degradation and performance issues.
ManageEngine is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
Courtesy: Infosecurity PR
<>
The Impact of the Consumerization of IT on IT Security Management
By Alexei Lesnykh, DeviceLock
The age of consumerization of IT, defined as the blurring of lines between corporate IT and consumer technology, is well and truly upon us. Driven by the proliferation of consumer technology such as PDAs, MP3 players and Smartphones, we have seen increasing adoption of consumer technology in the corporate environment. Thanks to the growth of endpoint device capabilities and the corresponding changes in security threat profiles, this new era has significant ramifications for the management and enforcement of corporate IT.
Personal mobile devices have already been proven to increase productivity. According to a Osterman Research, 15 per cent of the corporate workforce used employee-supplied mobile devices in 2007, and a survey from TechTarget forecasts that this figure will exceed 25 per cent in 2008.
From an IT security perspective, the task of managing ‘rogue’ or disgruntled employees in a consumobilized enterprise will become a real art – especially as a high degree of co-operative behavior and self-discipline will be expected and required from all employees including those who are discontented, malicious, negligent, or forgetful. The same technology advancements and social trends that drive consumerization will also cause a sharp increase in information security risks, based on the development of ‘production quality’ mobile malware, and the growth of corporate data leakage from and through employees’ mobile devices.
The typical size of a mobile device’s removable flash memory (currently 4 - 8GB) is already sufficient for storing and running a standard Operating System. The threat of corporate data leakage through personal mobile devices is unavoidable and immediate. Unavoidable because certain features of human nature will not change: since there is no ultimate cure for accidental errors, negligence or malicious intent, mobile devices will continue to be lost and stolen. Immediate because nothing new is required for exercising the threat and it is happening right now.
So what is the scale of this threat, in these early stages of IT consumerization? In-Stat has estimated that in the US over eight million mobile devices went missing in 2007; and for Smartphone users, the people with the most access to sensitive information, the probability of loosing a device was 40 per cent higher. According to the 2007 CSI Computer Crime and Security Survey, seven per cent of total financial losses incurred by US corporations from IT security incidents were related to the loss of proprietary or confidential data resulting from mobile device theft. Projecting these figures onto the latest predictions on mobile device market growth made by Tim Bajarin, President of Creative Strategies, one can anticipate an alarming figure of about five and 14 million Smartphones being lost in 2008 and 2010 respectively. This will equate to about 14 per cent of the total financial losses caused by attacks on corporate IT resources in 2008, rising to 21 per cent in 2010.
Developing the solution
So what should the security industry be doing to address the mobile security threats brought about by IT consumerisation? The key part of the architecture for preventing data leakage needs to be local sync parsing. The local sync data leakage prevention architecture should be built as a stack of integrated security mechanisms including bottom-up endpoint device/port control, local sync application parsing, file type filtering, and content-based filtering technologies. In addition, a central policy-based management console integrated with a major systems management platform, comprehensive centralized logging, reporting and evidence enablement components need to be put in place.
Every layer of the architecture controls those parameters of a local connection it is designed to deal with by blocking or filtering prohibited elements out, and detecting and marking the types of objects to be controlled by a higher-layer architecture component to which the classified data flow is then passed for further processing.
The device/port control component of the architecture is responsible for detecting and controlling the presence of a locally connected mobile device, the type of connection interface or port type, device type and ideally the device model and its unique ID. The output can then be passed to the local sync parsing component, which parses the sync traffic, detects its objects (e.g. files, pictures, calendars, emails, tasks, notes, etc.) filters out those prohibited, and passes allowed data up to the file type filter. The file type filtering component checks the input flow, deletes those files not allowed, and filters information data to detect and block the pieces of human-understandable data failing to comply with the corporate security policy.
The security threat brought about by the consumerization of IT and the consequent mobilization of the workforce is real and upon us. Organizations need to take immediate steps to ensure that they address this threat before it gets out of control and the infosecurity market needs to continue to develop solutions to mitigate the unavoidable risk brought about by the growth of consumer technology in the corporate environment.
DeviceLock is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
DeviceLock is a worldwide leader in endpoint device control security. For more information please see: www.devicelock.com.
Courtesy: Infosecurity PR
<>
Spammers scourge to Inbox and Environment, so study finds
by Michael Smith (Veshengro)
There are plenty of reasons to hate spammers. Add this to the list: They're environmentally unfriendly.
A report being released on April 16, 2009 by ICT security company McAfee Inc. finds that spammers are a scourge to your inbox and the environment, generating an astounding 62 trillion junk e-mails in 2008 that wasted enough electricity to power 2.4 million U.S. homes for a year. That is a lot of wasted energy for sure
The "Carbon Footprint of E-mail Spam Report" by McAfee estimated the computational power needed to process spam; from criminals tapping their armies of infected PCs to send it, Internet providers transmitting it, and end users viewing and deleting it.
The report concluded that the electricity needed to process a single spam message results in 0.3 grams of carbon dioxide being released into the atmosphere - the equivalent of driving 3 feet in a car.
"While the spam that arrives in any individual's inbox may create just a small puff of CO2, the puff multiplied by millions of users worldwide adds up," wrote McAfee. McAfee relied on data generated by energy and environmental consultancy ICF International Inc. to reach its greenhouse gas estimates.
The report found that almost 80 percent of spam's greenhouse emissions come from the energy that PCs consume while users are viewing, deleting, or sifting through spam looking for legitimate messages.
McAfee says it takes users about three seconds to view and delete a spam message. Although most spam doesn't get through because of sophisticated spam filters, and chance would be a fine thing, people spend a lot of time - 100 billion user-hours per year - dealing with the messages that do land in inboxes, McAfee estimates.
The findings are significant because most e-mail is spam. The latest figures from Microsoft Corp. show that unwanted messages account for 97 percent of all e-mail and unfortunately some of it is generated by Microsoft themselves and others simply is not filtered correctly.
There is one area, however, where spammers might claim the environmental high ground.
Spammers need to limit the size of their attachments to evade detection, so their messages wind up consuming much less energy than legitimate e-mail. McAfee's report estimates that the emissions from processing a single piece of legitimate e-mail are around 4 grams of carbon dioxide - 13 times spam's emissions - because users linger on them longer and attach bigger files.
But, when considering the environmental footprint of legitimate emails with all those attachments, we might also consider the cost to the environment would that email be sent as a letter proper with the material that is digitally attached being enclosed in an envelope. How much do we think that would be?
As far as most of us are concerned, even though we must consider the environmental impact of spam emails, is the impact spam emails have on us when trying to deal with out emails.
I personally have a number of email accounts and the ones, for instance, that are of the former “LineOne.net”, now part of the Tiscali group, are getting nothing but spam, basically, and apparently Tiscali is incapable of doing anything about it – unless you pay for it. It is, as far as I am concerned, annoying in the extreme as I am also not really interested in the tablets they want to sell me and other products.
© 2009
<>
WHO’S READING YOUR DATA WHILE YOU READ THIS?
By Colin Tankard, Managing Director, Digital Pathways Limited
Security of data has been an issue for as long as … well, as long as there has been data. As that data is stored in more and more sophisticated ways, so the security systems need to run to keep up. It’s not just the MoD that needs to know who’s reading their files; there can’t be a single commercial concern that doesn’t need to shield confidential material from prying eyes.
The nub of the problem revolves around the ability to very accurately control access to data. Knowledge is power, as they say, and accidentally giving knowledge to the wrong people can be highly debilitating.
It’s not just protecting data from external threats though; protective software needs to be simultaneously inward-facing. Companies need to be absolutely sure that staff cannot gain access to confidential data such as salaries and HR files – or, as importantly, the data of the firm’s clients or customers.
It might be a question of straight forward commercial confidentiality, or it may be that companies have a legal obligation for compliance with the Data Protection Act, or the PCI standard; or it may well be that the company has outsourced its digital support, and they want that sub-contractor to manage their infrastructure but not have access to their data.
When it comes to protecting data, information, files – call it what you will - there are three fundamental elements which need to be understood and addressed.
Firstly you need to know who or what is accessing the information being disseminated from your own network; what is required is a comprehensive audit of who is logged on and where, and what data they have access to. That might sound obvious but it’s a crucial first step; if a big network is getting a large number of logs then the log data needs to be carefully analysed, and then be presented in a manageable format. There is often a gap in the ability to link the log data to any undesirable event. That ‘event’ might be a chain of occurrences which would trigger concern, such as a number of log-ons from the same IP address, using different passwords with each log-on.
It is the view of Colin Tankard – Managing Director of Digital Pathways, that the biggest challenge is for companies to log the data that is flying around in their networks. Once that has been managed they can then move on to put the necessary protocols in place.
The second step is to identify what data needs to be protected. Digital Pathway’s clients include international law firms handling highly sensitive information, car manufacturers who have an absolute imperative to protect new designs, and financial houses who need an impenetrable stockade around their own clients’ acquisitions and disposals.
The third step, obviously, is then to protect the data which has been identified as sensitive. Simple solutions such as encryption are just not good enough; encryption only protects you against physical theft. What needs to be controlled is access, and application to the data. A good start is to tighten access by software and user, so that employee A running Word can see those files, but employee A running SAP, or employee B running Word has no access to that data’.
These security systems need to be both active and reactive; protecting against breaches in security cover, every hour of every day, and responding to specific threats or attack. The access to data needs to be monitored constantly, and be presented in a managed and coherent fashion. There might be a large and highly technical report for the IT Manager, and a much more succinct précis for the Managing Director. This level of reporting will often be required by an external auditor (if, the firm in question needs to show compliance to, say, the Financial Services Authority), or for a third-party client who requires reassurance that his data is secure. Having that in place as a part of the security solution saves both time and money.
At the end of the day there is a balance to be reached. For some organisations having their staff operating with user names and passwords isn’t enough, and you start to move into very high levels of security, such as biometrics. For most applications though it’s more about an understanding of the problems, and any potential disasters. A lot of Digital Pathway’s clients start off thinking that they know who has access to their data - before we ruin their day by showing them otherwise!
Digital Pathways Limited is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
Courtesy: Infosecurity PR
<>
How to protect Network Security in the Social Networking Age
By Dr. Anton Grashion, EMEA Security Strategist, Juniper Networks
Productivity tool or security headache? Like instant messaging and e-mail before it, social networking can be a great tool but can also cause concern in companies that haven’t learned to adapt - and real trouble to companies that haven’t learned how to manage it.
Enterprises are beginning to adopt social networking applications to offer a fast, easy-to-use way to keep in touch, organize activities and share ideas.
Whether businesses like it or not, employees (especially younger ones) are signing up for these tools regardless of whether it’s company policy or not, and forcing the businesses to play catch up.
Because of this, there are three major concerns that are keeping IT up at night. First, consumer applications can cut into employee productivity for hours at a time. Second, social networking sites can become vectors for viruses, hacker attacks and phishing. Finally, social networking image, audio and video traffic steal bandwidth from business uses.
So, how are IT administrators supposed to control this problem? There aren’t many model companies to follow in terms of company-wide social networking deployments. A few pioneering companies have opened their doors to social networking on corporate networks such as Shell Oil, Procter & Gamble and General Electric maintain social networking accounts. An exclusive Citigroup Facebook network has almost 2,000 members.
When you look at the usage statistics, peer-to-peer (P2P) networks have millions of users sharing photos, software, music and video. Social networking reaches even further: MySpace claims more than 61 million active users; Facebook more than 65 million. The Pew Research Center estimates that half of online adults have used these services to connect with people they know.
There are also organizations actively working against social networking. As the nature of government information is often sensitive, social media tools are a big concern for many government organizations. For instance, in May 2007, the U.S. Army blocked URLs for MySpace and 12 other “entertainment” sites from their U.S. and overseas networks, referring bandwidth and security concerns. Interactive communities such as YouTube, LinkedIn, Facebook and many others are a perfect target for hackers to plant malicious worms and viruses masked as legitimate user content, and present the potential for inadvertent leakage or misuse of mission-critical data. But these tools can be important for instant communication to spread government information internally and between the organizations, yet monitoring public opinion, there is a long way to pass over these concerns. For this reason, rather than rushing into new decisions to implement these social networking tools, there should be a cautious approach to ensure the right technology pieces are in place to enforce appropriate protection, access and use. There are many technology solutions available to organizations to let them support access to social media tools while enforcing strict control over network traffic to protect information assets and avoid data loss.
The decision to block or allow consumer applications is not black or white. Policies vary according to user, application, security requirements and network infrastructure. There are steps that organizations can take to let social networking into the network securely.
1. Application-based policies Blocking applications may address this issue. However, modern consumer applications are designed to work on many different network infrastructures. This makes them hard to detect and regulate. The policies should also enable applications that offer business value - without compromising quality of service (QoS)
2. Corporate policies
Although few organizations will apply policies without exception across their entire network, most start by establishing general guidelines. Blanket policies that block or regulate all peer-to-peer traffic can then be adapted to support authorized exceptions, while continuing to regulate or block the rest.
3. User policies
Even when policies are consistent across a network or network leg, they may vary from one user category to the next. Users can be categorized many ways. For example, categories of users can be employees, contractors and/or partners. In general, policies for employees may resemble overall network permissions, contractors will likely have access to a subset of those applications, and partners may have access only to specific applications. The challenge is where and how to enforce user-based policies.
Balancing requirements
Whether your company has identified a business need for social networking applications or simply decided to get ahead of the trend, managing consumer applications on corporate networks is a matter of balancing four priorities: Security, Quality of Service, Visibility and Control.
No single set of policies can meet these requirements for every business. By deploying a combination of policy-centric and interoperable technology solutions, organizations can customize their security profile and reflect their uniqueness of individual networks, and they can grant access when, where and to whom they want adapting permissions and defenses as required to counteract internal and external threats.
Now is the time to put these controls in place because, like entropy, the pace of technological change is always increasing. No sooner have we become accustomed to the ideas of Web 2.0 than we are turning our attention to Web 3.0 and beyond. With these changes we are faced with opportunities and challenges, don’t let evolution pass you by.
Juniper Networks is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
Courtesy: Infosecurity PR
<>
Are we heading for Internet Lockdown?
By Greg Day, Security Analyst, McAfee International Ltd
Those with responsibility for managing appropriate use of an organisation’s IT systems have a greater challenge than ever before on their hands. Years ago, employees’ interaction with IT was limited to the few ‘techies’ working with complicated mainframes and central computer systems. Now, almost every employee spends the majority of their working day in front of a PC, and the Internet plays a pivotal role in much that they do.
One major issue that has emerged in recent years is how to manage the use of technology in businesses so that efficiency is kept at an optimum without compromising security. In today’s technology-driven world, locking down employees’ desktops and internet gateways would be almost akin to tying their hands behind their backs, as many rely on the web for almost every facet of their job. Therefore the internet, the very thing that can make us quicker, better and more productive, can also be a major headache, and with the range of applications now being legitimately used, it can be hard to understand the full scope of what is being made use of and how.
Recent McAfee research has highlighted how today’s IT managers are being tasked to manage not only the use of information technology within their organisations but also to consider the impact those technologies can have on the productivity of staff.
McAfee’s research highlights how many popular web technologies are not being blocked in organisations, although they are known to present serious issues regarding security and productivity. In some cases, these technologies have no legitimate business purpose, yet this is not always the case. Only one in five businesses in Europe block access to social networking sites such as Facebook and MySpace, despite almost half of them wishing they could, as they fear that they could spread viruses and encourage spam. This is made worse when you consider that it is well-known among IT professionals that they also present an increased exposure to security risks such as ID theft and unintentional exposure of sensitive information.
The situation becomes even more complex when looking at applications that, despite posing a risk from a security perspective, can also have a valid use within the business. Instant messenger and web mail are two prime examples of this and as a result, restricting access to these technologies is not as simple as it may seem. This is where employee education, helping staff to understand and prevent security threats, and policies defining acceptable use of technology on corporate systems must come into play.
IT decision makers often have the difficult job of making a choice between what they know are serious security threats and other business priorities such as productivity and employee morale. Usage policies can bridge the gap between what IT departments would ideally like to block and what is functionally realistic.
McAfee’s research also highlights that the top potentially risk-laden sites blocked by European IT managers are Internet dating (36%) and music downloads (36%). These certainly fall into the category of technologies that limit productivity but can also increase an organisation’s exposure to security threats, and are therefore clearly more straightforward to identify as “blockable”. Attitudes towards restricting access to different technologies varies considerably across Europe, with Sweden proving to be the most lenient, with 57% of IT professionals not limiting access for their employees, while in the UK, only 28% of IT departments allow employees to roam free on the Internet.
In conclusion, today’s workplace has seen a major blurring of the lines between the personal and professional. In many cases, this is a positive evolution but it should never put a company at risk. IT professionals clearly have the difficult job of balancing the security needs of a business and the functional requirements needs of the workforce, but putting fair usage policies in place and educating people on how to be safe on these sites is the most realistic option.
McAfee International Ltd is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
Courtesy: Infosecurity PR
<>
The end of the line for security…
By Sacha Chahrvin, Managing Director DeviceLock
Journalists love to write about IT security breaches and scares, even though they have been happening for a while. Virus attacks, lost laptops, hackers or individuals having their bank accounts emptied will always make the news. The example of the TK Maxx security breach, where hackers compromised the payment card details of over 45 million customers over a 16–month period, has refocused attention on the importance of data protection.
But it’s much rarer that malicious employees and the havoc they can cause makes it into the papers. Admittedly, the press do report on county councils losing laptops containing confidential employee information. But it is unusual that the public hears of security breaches that are deliberate insider attacks.
But that certainly shouldn’t make anyone think that it doesn’t happen. With the proliferation of high-speed CD drives and USB ports Wi-Fi and Bluetooth, there are many ways for a disgruntled employee to steal or replicate private company information. And with USB drives of 4GB costing less than £301, iPods that go up to 80GB and even larger external hard drives not much bigger than a pack of playing cards, it is very easy for a user to leave the office with the organisation’s entire customer database or its future product development plans in their pocket.
When key employees are about to leave an organisation they are frequently put on ‘gardening leave’ as soon as it is agreed they are going, so that they have no further access to corporate systems. But can you find out what they accessed the previous day? Or what they might have copied onto their digital camera memory card or MP3 player just last week?
These are deliberate attacks with malicious intent. But they’re not the only thing that companies should worry about. I wonder how many sales executives have copied product details or customer information onto a USB memory stick so they can access it while travelling between client organisations? Mobile working at its best – until the device gets lost.
Many organisations now realise that they need to control any user device that connects to the network, as part of their wider endpoint security policy. Indeed some companies have gone as far as disabling all ports and devices that allow users to copy data from the network. But this universal blocking of users isn’t necessarily the most effective ongoing solution for the business, despite the additional security it provider.
Treading the fine line between security and system usability will probably always be a problem for IT security managers. It is possible to build a secure database that can never be hacked or breached. But it would probably be isolated in a bunker underground with 24-hour armed guard and no connection to the outside world.
Undoubtedly this is a good solution for the security team, but that doesn’t ring true for the employees who need to view and update the data it contains on an ongoing basis. However, as soon as you open a system for legitimate users and allow them access, there is the potential for a security breach.
However, USB sticks and CD drives have not grown in popularity because they make data theft easier, but for the real difference they can make to people conducting their daily business. Information is the company’s life blood, and people need to access and move it around, copy it or take it out of the office as part of their job. Simply removing that option isn’t a realistic solution.
Organisations must start to take a proactive, flexible approach to endpoint security. This includes both the tools necessary to manage the system and the policies and employee training required to make it work. The IT security team should be able to add and remove layers of security as required by users so that they can do their jobs effectively, without making systems vulnerable. And employees need to be aware of the risks of corporate data theft and ensure that they act as the eyes and ears of the organisation, flagging up potential problems before they become reality.
If a company’s people and information are its two most valuable assets, the organisation needs to find a way of working with both so that they deliver the maximum possible value.
DeviceLock is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
DeviceLock is a worldwide leader in endpoint device control security. For more information please see: www.devicelock.com.
Courtesy of Infosecutity PR
<>
Multiple Twitter worms over Easter shows need for security in coding
Multiple Twitter worms shows need to incorporate security into program code development
14 April 09 The fact that Twitter has been hit by as many as four worms over the Easter weekend highlights the need to include the code audit and security process in the software development cycle, says Fortify Software, the application vulnerability specialist.
"Media reports have made much about the author of what appears to be the first generation of Twitter worms, but they appear to have missed the point that these are actually basic cross-site scripting (XSS) security problems," said Barmak Meftah, Fortify Software's senior vice president of products and technology.
"The situation acts as yet another reminder that code vulnerability exploitation is now sufficiently high up the hacker agenda to warrant the inclusion of code auditing in the software planning and development process," he added.
According to Meftah, the axiom of a company taking its security seriously is no longer proven if the firm fixes problems after they take place.
This Twitter hack, he says, is a classic example of how poor coding enables cracking situations that should never have been allowed to happen in the first place.
There is, he explained, no excuse for poor coding, even with free software.
"Twitter claims they've solved it, but this hard to believe. If you can find 4 vulnerabilities in 48 hours, this indicates a bigger problem. This highlights a common issue--developers rapidly writing code with minimal auditing and few security checks," added Meftah.
"When it comes to security, or rather, the lack of it, Web 2.0 has become a deja vu for the early days of the Internet," he said.
For more on the Twitter security issues: http://preview.tinyurl.com/cv5vwm
Source: Eskenzi PR
<>
IT Security Gets a Boost as Survey Shows Spending Up
The Majority of Organisations expect to increase spending on Information Security
London, UK 14th April 2009 - A survey by Infosecurity Europe has found that spending on Information security is likely to increase according to 55% of the 1010 respondents they asked and 34% expected their spending to remain the same as last year. Only 8% expect minor reductions of less than 5% of last years spending and 2% expect significant reductions of more than 5%. This contrasts significantly with overall spending on IT as 36% of respondents expect minor reductions from last years IT Spending and a third expect to see major reductions compared to last years IT Spending. A fifth expect overall IT spending to be higher than last year and 10% expect their overall IT spend to be the same as last year.
“Even though overall IT budgets may be reduced and the economic crisis continues to deepen, spending on information security will continue to grow driven by the increase in security threats and the fact that many organisations are still in catch up mode. IAM projects are still on a catch-up mode, so more work is needed. In addition, new areas call for additional spending. Mobile users and remote access are still poorly protected against very agile threats. ” said Eric Domage, Research Manager - Security Products & Services, IDC EMEA Software Group.
Domage continued, “We expect to see an increase in “Frustration Hacking” when people opportunistically attack their own company because they have been fired or frustrated, these first-time-last-time attacks are almost impossible to prevent. They are called first-time-last-time attacks because the people committing them have never done anything wrong before and it is done on their last day in the job. Attacks of this nature are complex to detect, prevent and remedy, for example if someone deletes all the data on servers in a company it can take weeks to correct. Prevention requires security policy, encryption and access control, these are large projects which need to be implemented before a Frustration hacking attack takes place and this is one factor that is driving spending on information security.”
He then proceeded to say: “Our prediction for the Western European Software Information Security market is that it will grow by 7% in 2009 driven by concerns about holes in information security such as Data Leakage Prevention, data integrity attacks and mobile security which are all new areas that many organisations are still getting to grips with.”
According to Tamar Beck, Group Event Director, Infosecurity Europe, “The threat from cyber crime has increased significantly in the past 12 months with predictions of the cost of cybercrime reaching hundreds of billions of dollars a year and our own research found that 90% of organisations expect security breaches to increase in 2009. The economic climate, lack of effective legislation and under resourced crime prevention have created a time bomb for cybercrime, cyber terrorism and cyber activism all of which are stretching IT departments in the government and commercial sectors. There is still a huge requirement to invest in information security which is resulting in robust budgets for information security even if overall IT budgets may remain static or even shrink slightly. At Infosecurity Europe we have brought together all the top infosecurity providers from across the globe so that organisations can compare and select the latest technology to protect your organisation and an education programme packed with outstanding experts.
In the keynote programme Dr. Nigel P Brown, Lead for Resilient Telecommunications Strategy, Cabinet Office chairs the panel on the “Global Credit Crunch & the IT Security Market: The Impact To Market & Solutions For Recovery”. In uncertain financial times, any investment in technology is likely to be severely curtailed, but there are still areas of significant growth within the Information Security industry. In this keynote the ways in which security can support IT development in a tough investment climate are explored, and technology classes that can still deliver highlighted will be investigated by:
- Nick Coleman, Co-Founder, The Technology Den
- Jason Creasey, Head of Research, Information Security Forum
- Eric Domage, Research Analyst IDC
- Jeremy Garside, Head Of Technology, The London Symphony Orchestra
- Ed Gibson, Fellow, British Computer Society
To register to attend or for more information please visit www.infosec.co.uk
Source: Eskenzi PR
<>
New Guide Helps Service Managers Integrate COBIT and ITIL for Successful Governance
Rolling Meadows, IL, USA - April 2009 - To help service managers use COBIT and ITIL to effectively govern IT services, the IT Governance Institute (ITGI) (www.itgi.org) has released a new publication, titled COBIT User Guide for Service Managers.
The guide, supported by itSMF, helps service managers better understand the need for IT governance and how to apply good practices in their specific roles and responsibilities. It facilitates easier use and adoption of Control Objectives for Information and related Technology (COBIT) and IT Infrastructure Library (ITIL) concepts and approaches, and encourages integration of COBIT with ITIL.
“When used together, COBIT and ITIL provide a top-to-bottom approach to IT governance, including service management,” said Robert Stroud, CGEIT, international vice president of ITGI and chair of the COBIT Steering Committee. “When used together, the power of both approaches is amplified, resulting in greater likelihood of management support and more cost-effective use of resources.”
COBIT User Guide for Service Managers is applicable to any service provider, whether acting as an internal IT function or as a commercial vendor. The guidance is based on good practice and the practical experiences of industry experts, and is intended to be pragmatic and helpful rather than prescriptive. The structure has been based on COBIT’s key components of key controls, goals and metrics, roles and responsibility (RACI) charts, and maturity models. It also leverages ITGI’s COBIT mapping research, including the latest mapping of COBIT 4.1 with ITIL V3 and the soon-to-be-released mapping of COBIT 4.1 with ISO/IEC 20000.
Included are explanations on how to get started and combine COBIT and ITIL for a successful service management. Core guidance is provided in the form of a table showing:
- The key activities of a service manager organized by ITIL V3 processes
- The corresponding COBIT 4.1 control objectives
- The corresponding ISO/IEC 20000-1:2005 references
Roles and responsibilities for a generic range of role players expressed as a RACI chart
COBIT User Guide for Service Managers is available as a complimentary download for ISACA members at www.isaca.org/deliverables. The electronic version is US $35 for nonmembers. Print copies can be purchased for US $50 from the ISACA Bookstore (www.isaca.org/bookstore).
The IT Governance Institute (www.itgi.org) is a nonprofit, independent research entity that provides guidance for the global business community on issues related to the governance of IT assets. ITGI was established by the nonprofit membership association ISACA in 1998 to help executives and IT professionals ensure that IT delivers value and its risks are mitigated through alignment with enterprise objectives, IT resources are properly managed, and IT performance is measured. ITGI developed COBIT and Val IT, and offers original research and case studies to help enterprise leaders and boards of directors fulfill their IT governance responsibilities and help IT professionals deliver value-adding services.
Source: Eskenzi PR
<>
Smaller Companies Are Just As Likely To Be Hacked According To Business Crime Reduction Centre
London, UK – April 2009: Infosecurity Adviser, the online community for the information security industry, in association with Infosecurity Europe, has secured an exclusive interview with David Stockdale, the head of the Business Crime Reduction Centre (BCRC), an initiative that seeks to assist SMEs in tackling problems caused by crime.
According to Mike Barwise, blogger for Infosecurity Adviser, the exclusive interview with the BCRC is interesting, since it highlights the efforts the Centre is undertaking to educate SMEs on the topic of crime generally and, of course, cybercrime.
"The Centre is carving out a name for itself as a highly responsive organisation that seeks to listen to what small businesses are looking for on the crime advice front, and provide that service," he said.
"The BCRC has just completed a national survey on SME's attitudes to electronic crime which has revealed that smaller companies are just as likely to be hacked or similarly mistreated by electronic criminals," he added.
"At the same time, however, researchers found that many smaller firms lack the in-house ability to tackle the problem of hacking and other forms of electronic crime."
According to Barwise, it's grass-roots research like this that reveals the real state of cybercrime in the UK, as well as showing the variety of responses that companies take to the problem.
The interview, he says, reveals a worrying lack of understanding about cybercrime in the SME business community, and also highlights the need for education about the problem.
In many ways, he explained, the BCRC interview confirms the reasoning behind the need for educational seminars on cybercrime at major events such as the Infosecurity Show, which takes place in London later in April.
"With survey results showing that 21 per cent of MDs of smaller firms being unaware what IT security resources they have in place, it's clear that a lot of education is needed on the topic of protection from cybercrime," he said.
"It's good to know that the Centre is doing its bit to educate the SME community in this regard, as well as confirming the Infosecurity Europe show plans for a comprehensive education programme at the three day event," he added.
To read the Infosecurity Adviser interview with David Stockdale: http://www.infosecurityadviser.com/view_message?id=109
For more on the Infosecurity Europe event: http://www.infosec.co.uk
Source: Infosecurity PR
<>
Conficker Awakes!
Internet Worm carrying damaging software appear to have woken up
by Michael Smith
It would seem, at least according the activities, that the Conficker worm is finally doing something. On April 10th it appeared to be updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, according to Trend Micro.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.
Trend Micro researchers have also noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.
"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"
In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.
The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.
Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.
The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.
As this is an ongoing event, so to speak, I am sure that we shall be seeing a lot more happenings in the next few days and weeks before it is laid to rest, again, for a while.
It pays to be vigilant and therefore beware what you are doing online and what sites you visit. Also, don't go to any sites that someone tells that has a removal tool for this virus and download it unless that is you are sure you are on a reputable site, such as Symantec, Trend Micro, BitDefender, or such. Other sites should be regarded as suspect.
© M Smith (Veshengro), 2009
<>
Is Google intent on buying Twitter?
by Michael Smith
It sounds like one of those deals that's too big - or at least too obvious - to be true; Google in talks to buy Twitter, though, as far as I see it as someone with a rebellious streak and as someone who always questions “who benefits” that this may actually not be good at all if true.
According to some reports acquisition talks are under way, though details are not all that clear, especially the price. The assumption is that it would be more than the company's internal valuation of $250m, and a more secure figure than the $500m in stock deal that Twitter turned down from Facebook last year.
But talks for what? Would this be an outright acquisition, part acquisition or a search deal?
It would be sad to see Twitter lose its independence, though it is perhaps inevitable. Twitter is backed by some extremely influential investors who, despite their apparently unwavering support for the firm, will want a meaty return on their investments at some point. What could be more reliable in the web world than hard Google cash, with some shares thrown in for good measure?
It could be for just a stake in the firm, which would mean Twitter retained control and that precious independence or, then again, it could be an outright buy and that would not be too good, in my opinion. Real-time communication and search, along with social media context, are going becoming crucial to the web - as Google knows. It's not inconceivable, you could argue, that those dynamics could push Twitter to same heights as even Google one day, and then they will wish they had that precious autonomy.
Though much of the recent media buzz around Twitter has been outside its control (Twitter has only just stated recruiting a PR...), it has also created intense interest in the site and no doubt helped bolster its valuation claims.
What else does this say about Twitter? With the big 'if' caveat - if this is true - it vindicates Twitter's regular assurances that there really is money in them there hills. Google clearly sees where the money lies, and it will be fascinating to see what unfolds.
The problem, yet again, as I see it, could be that the loss of independence could lead, as so often, to a loss in control of say as to what goes and what not and, do we really want to have the site full of Google ads and such like.
Also, as we all know, Google's policies towards some countries and their demands to be given access and information of users is way to open handed. Once again, as so often in these cases, the freedom of the Internet is as stake.
This is the same as with the talks of IBM to acquire Sun Microsystems and with it a chunk in the Open Source software market, including the every more popular Open Office suite.
Anyone like me with a mind that questions everything like that probably will come to the same conclusion and that is that this is not a good sign, for the independence and freedom of applications such as Twitter, which is basically the CB Radio of the Internet, as well as for Open Source software.
© M Smith (Veshengro), 2009
<>