MBNA laptop fiasco could easily have been avoided

Origin says MBNA laptop fiasco could easily have been avoided

December 2009 (Eskenzi PR) – Reports that a laptop containing the personal records of thousands of customers of MBNA Bank has been stolen (http://bit.ly/6BCAtg) mean that large numbers of the bank's credit cardholders will now be spend a worrisome Christmas and New Year break, concerned about their identities getting stolen.

And, says Origin Storage, the situation could easily have been avoided if the contractor concerned had used a secure portable storage device to protect the cardholder data.

"It's situations like this - where a bank's reputation is damaged by one of its suppliers failing to secure customer data - that I always find puzzling, for the simple reason that encrypted portable drives - complete with an onboard PIN protection system - can now be bought for just a few hundred pounds," said Andy Cordial, managing director of the storage systems integration specialist.

"Devices like the DataLocker (http://bit.ly/2vb6y9) which protect the stored data using strong AES encryption plus onboard PIN protection, are highly portable, meaning they can be used in the office and on the road," he said.

And, he went on to say, if the device is lost or stolen, the data on the drive remains secure.

That restricts the loss to a purely financial one, namely the cost of the hardware, rather than reputational and possible legal, damages resulting from the incident, he explained.

According to Cordial, as the Lancashire Evening Post report shows, it's so easy to lose a laptop, either through carelessness or a simple theft, and portable computer thefts occur all the time.

"The good news is that none of the customers whose data has been lost has been affected by the loss yet - but that doesn't mean their data won't act as a start kit for identity theft professionals, who now harvest this type of data and clone people's IDs by the tens of thousands every year," he said.

"A little commonsense at the planning stage and the purchase of relatively inexpensive PIN-plus-encrypted hardware, means that data losses as a result of laptop thefts will become a thing of the past," he added.

For more on Origin Storage: http://www.originstorage.com


Networking technology set for growth

Financial services sector leads the market in investing for growth

Investment in network technology, tele/video conferencing, cloud computing and SaaS technology is set to boom in the financial services sector as it recovers from the economic downturn, according to research.

According to networking company Brocade, this will enable organisations to keep pace with the changing business landscape and will need proven, reliable infrastructure providers to help them tackle their shifting network needs.

Paul Phillips, Regional Director UK and Ireland, Brocade, stated: “BT Global Services conducted a detailed market survey with a number of senior personnel across a broad sector of UK business and it found that the financial services sector was investing in new networking technologies at a faster rate than many others.”

According to the research 92 percent of respondents stated that they were investing in at least one of the following: network technology, tele/video conferencing, cloud computing and SaaS technology.

Significantly the survey found that just over half of financial institutions indicated that they were already investing money in faster, more reliable network technology to speed up their recovery from the economic downturn.

“This indicates to us that the investment being made in networking technologies is designed to deliver leaner, cost-effective infrastructures, designed to complement existing business models. Amongst CIOs in the financial services sector there was a desire for proven, reliable technology providers to help them deliver against their future network infrastructure needs.”

“What is clear is that despite the economic downturn many in the sector are now investing in networking technology to improve efficiency in their businesses to help them maximise profitability as and when the recovery starts,” added Phillips.

“Data is, after all, the enterprise’s most valuable asset. Brocade is focused on helping businesses connect, manage, protect, and profit from their critical data - delivering networking technology to solve the most difficult business challenges.”

Brocade’s proven expertise in data centre networking enables it to align the IT infrastructure with strategic corporate objectives and network performance goals.

Network infrastructure needs to quickly and efficiently transform with the ever-changing business environment. Brocade delivers end-to-end, enterprise-class solutions that allow organisations to adapt with agility and perform without compromise.

Brocade develops extraordinary networking solutions that enable today’s complex, data-intensive businesses to optimise information connectivity and maximise the business value of their data. For more information, visit www.brocade.com.


DDoS-Attacks disable many shopping websites, including Amazon

Just in time for last minute Christmas shopping major shopping sites disabled

by Michael Smith (Veshengro)

London, December 26, 2009: An attack directed at the DNS provider for some of the Internet's larger e-commerce companies – including Amazon, Wal-Mart, and Expedia – took several Internet shopping sites offline on the evening of Wednesday, December 23, 2009, just two days before Christmas Day.

Neustar, the company that provides DNS services under the UltraDNS brand name, confirmed an attack took place on Wednesday afternoon, taking out sites or rendering them extremely sluggish for about an hour. A representative who answered the customer support line said the attacks were directed against Neustar facilities in Palo Alto and San Jose, Calif., and Allen Goldberg, vice president of corporate communications for Neustar, confirmed that at about 4:45 p.m. PST, "our alarms went off."

Goldberg said the company received a disproportionately high number of queries coming into the system, and analyzed it as an attack. Neustar deployed "a mitigation response" within minutes of the attack, he said, and brought matters under control within an hour. The response limited the problems to Northern California, he said.

In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon's S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon's lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.

Web sites need DNS providers to translate the character-based URLs that people can remember to the IP addresses that Web sites actually use to list themselves on the Internet. When a DNS provider is overwhelmed with malicious requests for IP addresses, the system can overload and prevent legitimate users from reaching their destinations.

Amazon's Web Services Health Dashboard declared an all-clear around 6:40 p.m. PST, saying that DNS resolution had returned to normal. Amazon and several other big sites seemed to recover around 5:40 p.m., but some other sites continued to report problems until around 6 p.m.

Needless to say, the timing of such an outage could not have been much worse, as holiday procrastinators rushed to make sure they could get one-day shipping for gifts to be delivered before Christmas Day on Friday.

UltraDNS suffered a similar attack earlier this year, which took out Amazon, Salesforce.com, and other sites. Goldberg described Wednesday's attack as smaller than that one, in that it affected fewer customers.

However, Amazon is no small customer. Goldberg declined to comment on specific customers affected by the outage, and said Neustar had not yet determined the source of the attack.

One expert thought the attack might have been more widespread.

"This was wider than just UltraDNS," said Bill Woodcock, research director at Packet Clearing House, which operates domain name servers and supports Internet exchange points around the globe.

"It's difficult to tell at this point how much is a DDoS attack and how much is collateral damage from the attack that is being felt in other ways," like a domino effect, he said. "There were routing problems at some major European exchanges at the same time that caused major Internet service providers' routers to encounter a higher load and pass fewer packets."

This shows, yet again, the vulnerability of online shopping site and similar and I sincerely doubt that it will make people who have before had bad feelings about online transactions of this kind feel any better.

It could even turn ardent Internet shoppers and users of such sites off using them if such issues can occur again and again.

Not just could things go awry as regards to the shopping but it would even be possible, I should think, that such attacks are also used to get into the systems in order to obtain the details of people.

It proves, yet again, as if any more such proof was needed, that operators of sites are not tough enough on their security audit and do not play hard enough as far as defenses goes.

Alarms are fine but it should not come to a penetration at all.

© 2009


Fortify Software Launches Hosted Software Security Suite

Fortify on Demand provides integrated static and dynamic security testing for internal and third party applications

London, December 2009 ( Eskenzi PR) – Fortify® Software, the market leader in Software Security Assurance (SSA) solutions, announced today the availability of Fortify on Demand, its comprehensive software security suite delivered via Software-as-a-Service. Fortify on Demand integrates Fortify’s market-leading static analysis technology with dynamic application security testing powered by WhiteHat Security, allowing organizations to assess and remediate security vulnerabilities in applications without installing software on-premise.

“As the number of data breaches resulting from attacks against enterprise applications continues to grow, there is a real need for software security technology that is quick and easy to implement while still providing a thorough assessment of your code,” said Barmak Meftah, Senior Vice President of Products and Technology at Fortify Software. “For many organizations, the task of deploying an enterprise-wide software security program can be daunting. Fortify on Demand offers an easy first step for companies that need to quickly assess their overall risk exposure, from both internal and third party software, and then easily begin to implement a software security program to remediate and prevent vulnerabilities in their code.”

Fortify on Demand integrates source and binary code analysis with web application scanning, focusing on a core set of 90+ vulnerabilities in the most popular applications. Delivered through two solution sets, Enterprise Assessment Management and Vendor Security Management, Fortify on Demand provides enterprises with quick and accurate assessments of both internal and third party software.

“Fortify's technology identifies potential security threats in software through very deep analysis which ensures that the software is safe to deploy and the sensitive data and application behavior cannot be compromised by hackers,” said Anurag Khemka, President & CEO of Rightwave, Inc. “Fortify on Demand is very easy to use and gives great pointers on where a vulnerability is rooted in the code so it can be quickly fixed.”

“One of the most compelling aspects of a SaaS model is how cost effective it is. SaaS-based software security testing technologies allow organizations of any size to effectively jumpstart a software security program and begin eliminating vulnerabilities in their code quickly and easily,” said Jim Routh, former Chief Information Security Officer and security consultant in the financial services industry. “At the same time, larger organizations can utilize hosted testing solutions to increase the size and scope of their existing program and extend software security throughout their business.”

“Security testing as a service is a way for enterprises to reduce upfront costs and to augment limited internal resources when undertaking a software security program,” said Joseph Feiman, Ph.D., research vice president and Gartner Fellow. “This technology area is growing and will have a significant impact on the application security market over the next 12-18 months.”

Fortify on Demand is available now. To register for the product, visit: http://www.fortify.com/fortify/getform/reg/ondemand_signup or to sign up for our webinar, visit: https://www1.gotomeeting.com/register/155198536.

Fortify®'s Software Security Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite – Fortify 360 – drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com or visit our blog at blog.fortify.com.


Launchpad Europe welcomes EITO predictions for ICT recovery in the UK in 2010

London, December 2009 - UK based market accelerator, Launchpad Europe welcomes the favourable predictions from European Information Technology Observatory (EITO) for recovery of the ICT market in the UK in 2010.

Mike Burkitt, Technical Director and co-founder of Launchpad Europe commented: "This is a welcome prediction and reflects much of the conversations we are hearing in the UK marketplace. However, I think we do need to wait and review the first few weeks of January as the real indicator here. Many budgets and projects have been put on hold until the end of 2009 and only if the confidence returns in that early part of the year will we really be able to talk about recovery in 2010."

Burkitt continued: "Many companies from the US and Israel we have engaged with are looking to accelerate their entry into EMEA via the UK in early 2010 so those planning that type of push will be timing it well to leverage the strong channel in the UK and to get pipelines filled in the first half of 2010."

Launchpad Europe's extensive contacts in the system integrator, channel and end user communities ensure that it offers the best possible route to market for early stage entrants in the UK and mainland Europe.

The full story on EITO's predictions can be found here: http://www.eito.com/pressinformation_20091112.htm

Launchpad Europe is a global reaching company specialising in providing internationally focused organisations with a presence throughout Europe and beyond. Our service ranges from individual sales representation to building an entire, fully functional business entity.

Launchpad provides and supports the full range of:

  • sales and marketing activities
  • direct and indirect third party channel representation
  • distribution
  • technical backup and support services
  • legal and financial advice
  • HR functionality

For more information about Launchpad Europe or to receive the full research results, please visit www.launchpad-europe.com; email countdown@launchpad-europe.com; or follow us on Twitter: @launchpadeurope


ISACA Launches Risk IT to Help Organizations Balance Risk With Profit

Free Download From ISACA.org

Rolling Meadows, IL, USA (December 2009) – ISACA has announced the release of Risk IT: Based on COBIT®, the first global IT-related risk framework to provide a comprehensive view of the business risks associated with IT initiatives. Risk IT builds on ISACA’s globally recognized COBIT framework for IT governance to provide a missing link between conventional enterprise risk management and IT risk management and control.

Enterprises achieve return by taking risks, but sometimes they try to eliminate the very risks that drive profit. Available as a free download at www.isaca.org/riskit, Risk IT is designed to help enterprises increase their return on opportunities by managing risks more effectively, rather than trying to eliminate them completely.

ISACA, a nonprofit association of 86,000 information technology (IT) professionals, developed Risk IT in response to member and industry demand. The framework and its supporting documentation are the result of thousands of hours of work from a team of IT and business experts and 60 expert reviewers spanning North America, Europe, the Middle East, Africa and Asia Pacific.

“Risk IT saves time, cost and effort by providing a clear method to focus on IT-related business risks such as late project delivery, compliance, misalignment, obsolete IT architecture and IT service delivery problems,” said Urs Fischer, CISA, CPA (Swiss), CIA, a developer of Risk IT. “Risk IT provides the guidance to help executives and management ask the key questions, make better risk-adjusted decisions and guide their enterprises so that risk is managed more effectively.”

Risk IT provides a single, comprehensive view of IT-related business risks, which can cost companies millions annually in lost revenues and opportunities.

“Risk and value are two sides of the same coin. Risk is inherent to all enterprises, but a balance must be struck that avoids value destruction and ensures that opportunities for value creation are not missed,” said Risk IT developer Brian Barnier, CGEIT.

“Risk IT helps all levels of management manage risk for the greatest benefit and helps detect warning signs earlier.”

Risk IT complements and extends COBIT and Val IT, but also is highly effective as standalone guidance. A key aspect is that all enterprises using IT, whether one-person shops or multinational conglomerates, can benefit from Risk IT. It can also be customized for any type of enterprise in any geographic location.

The Risk IT Framework is available as a free download. Print versions can be purchased at www.isaca.org/bookstore.

Founded in 1969, ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business. ISACA also sponsors international educational events, develops information systems auditing standards and administers the globally respected CISA®, CISM® and CGEIT® designations.


Parkeon Chooses Fortify Software To Keep Hackers At Bay

December 2009 (Eskenzi PR) - Parkeon, one of the world’s largest parking and transport management solution providers has chosen Fortify Software, the leading application security software provider to secure their latest end to end electronic payment solutions.

Parkeon engaged Fortify at the very early stages of designing its latest state of the art electronic payment product, ‘ArchiPEL’, recognising that if it was to be robust and secure the developers must build in stringent and secure software with flawless watertight code to prevent hacking incidents or breaches.

Fortify was a natural choice as they are the application security and testing provider able to identify, contain and prevent security vulnerabilities in software that is chosen by numerous governments around the world, the forces such as the US Airforce, many of the major banks such as ABN-AMBRO and JP Morgan, and a number of Fortune 500 companies.

Luc Porchon, Banking Applications Project Manager of Parkeon explains “Parkeon has clients all around the world who currently use our products to make, and receive, payments. The security of these electronic transactions is of paramount importance to us and, therefore, we closely monitor our payment systems to ensure a proven level of security, validating the integrity whilst maintaining the confidentiality of each user’s personal data. We believe, therefore, that security must be built in as a basic vital ingredient right at the beginning of development which is why we employed Fortify’s expertise back in May 2009.”

For three months Fortify provided consultancy to Parkeon to check and scrutinise its Archipelago software to ensure that it passes the stringent requirements expected from the latest PCI DSS and PA-DSS standards. Using its latest software, Fortify quickly and easily checked all the code, at source, testing it for flaws and then sealed any vulnerabilities, where most common hackers target in order to breach the system.

Luc summarises, “Using Fortify’s expertise to test our software, right from the outset whilst at the code development stage and again at various stages in its development, uncovering vulnerabilities and then removing these flaws has been essential in getting our product to market on time whilst ensuring it meets the stringent compliancy standards and recent requirements such as PCI DSS and PA-DSS. Fortify has helped us to establish Best Development Practices based on the analysis of architecture and application code, and we will continue to use Fortify software to test all our software to make sure it is secure at all times.”

Parkeon are now on target to move quickly through the audit process that will test that their latest innovative and cutting edge payment systems are secure for the customers waiting to use them.

Gael Barrez, Fortify’s country manager for France, concluded “We are satisfied that using our award winning software, Parkeon will be able to bring to market their excellent and very exciting new secure payment systems on time and on budget.”

Fortify®'s Software Security Assurance products and services protect companies from the threats posed by security vulnerabilities in business–critical software applications. Its software security suite–Fortify 360–drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com or visit our blog.

Parkeon is a leading player in the field of urban mobility. Thanks to its unique transversal offer in terms of parking and urban transportation payment solutions and to its constant ability to innovate, as shown over its 35 years of experience. A leader in payment and ticketing solutions for parking and urban transport, Parkeon provides integrated parking and transport management solutions for local authorities and private operators.


BridgeHead Software refutes suggestion that hospital IT does not cut costs

Ashtead, UK - December 2009 - The conclusions of a ScienceDirect report just released in the US - which claims that the computerization of hospitals does not cut costs - have been refuted by BridgeHead Software, the healthcare data management specialist.

"The researchers from Harvard Medical School and the Partners Healthcare System in Boston have done a sterling job with their research, but the report concludes that the use of IT in hospitals only leads to modest increase in quality - and that overall costs do not improve," said Tony Cotterill, BridgeHead's chief executive.

"Our observations suggest otherwise, mainly because our clients have not just computerised their systems, but have made full use of the many extra resources which adding IT to the healthcare systems mix engenders," he added.

According to Cotterill - whose firm has supplied data management and archiving systems to a number of hospitals and healthcare organisations both sides of the Atlantic - the secondary usage of the data that results from adding IT to a healthcare records environment is the key to improved cost savings and consequential patient service improvements.

Healthcare organisations, he explained, can make extensive use of the electronic data that is collated as a result of computerising patient treatment records and allied diagnostic services.

In the NHS, for example, the task of producing monthly, quarterly and annual statistics for line management becomes a lot easier, and `what if' data interrogations - previously difficult on pre-computerised record systems - can be carried out in close to real-time.

When you factor in the speedier diagnostic advantages to the patient and improvements to health costing systems that are possible from the computerisation of hospital systems, the BridgeHead chief executive went on to say, it's clearly a win-win situation on several fronts.

But, Cotterill cautioned, merely introducing an electronic patient record (EPR) system to the healthcare environment - without overhauling and improving allied systems as well - means that the real cost and healthcare efficiencies that derive from computerisation cannot be enjoyed by everyone concerned.

Whilst it's true to say that early pioneers of computerisation in the healthcare environment - and we are talking about the 1980s here - have only reaped some of the advantages that IT brings to the hospital environment, those systems have long since been improved, he said.

The re-use of data to boost efficiency within the healthcare industry is quite well documented, with the Department of Health having recently published details of a consultation into the use of health records.

According to the study (http://bit.ly/8bW8J7), 75 per cent of researchers thought it was acceptable for data from sealed envelopes to be used for additional purposes if anonymised without the need for patient consent.

Plans call for the Department of Health to set up a number of pilots across England to explore how patients can opt out of having their records viewed for research purposes.

According to Cotterill, once this option is integrated into the computerised healthcare options - which should happen by the summer of 2010 - then the re-use of patient data can start.

"Provided patient confidentiality is ensured, then the anonymous re-use of data can help to boost productivity with little extra fixed or marginal costs, and that is extremely positive," he said.

"Our own views here at Bridgehead is that, amongst the many healthcare users of our data management technology, we have yet to encounter a client whose productivity cannot be boosted the effective re-use of patient data," he added.

On the topic of the US report, BridgeHead's chief executive noted that the ScienceDirect study's findings appear to be at odds with the Department of Health analysis on the subject, as well as anecdotal observations amongst his company's many clients.

Provided healthcare managers carefully plan the computerisation of the patient diagnostic and allied services environment, then Cotterill says there are no reasons why the healthcare unit cannot boost productivity, cut costs and - arguably most important of all - improve the patient treatment experience.

"The key to the introduction of enhanced IT to the patient care environment is a comprehensive root and branch approach to planning, as well as an understanding of the way allied systems can also be improved," he said.

"Excellent though this report is, it overlooks our observations that computerising hospitals on a piecemeal basis can never be as effective as adding IT to the mix on a carefully planned basis," he added.

For more on the ScienceDirect report: http://bit.ly/5KlUi5

For more on BridgeHead Software: http://www.bridgeheadsoftware.com

For the latest news and views on Healthcare Data Management from BridgeHead Software follow their tweets at: www.twitter.com/BridgeHeadHDM

BridgeHead Software is a leading provider of Healthcare Data Management (HDM) software for healthcare institutions and is the world's leading provider of MEDITECH data protection, with over 300 hospital networks worldwide supporting more than 1000 individual hospitals. BridgeHead HDM combines backup, archive and recovery capabilities with seamless integration into specialized healthcare systems and applications commonly found in healthcare environments. Integrated systems include HCIS from MEDITECH, PACS systems from multiple vendors, Microsoft applications and leading storage systems. BridgeHead Software HDM is storage and vendor agnostic, enabling HDM to work with a customer's current and future systems infrastructure.


Industrialisation of Hacking Will Dominate 2010

Industrialisation of Hacking Will Dominate The Next Decade

Imperva delineates five key security trends UK Organisations will face during the next ten years

London, December 2009: As we approach the dawn of a new decade, battle lines are firmly drawn with UK Organisation’s squaring up to Cyber Criminals. Imperva, the Data Security leader, predicts five key security trends to watch for over the next ten years:

The industrialisation of hacking - Clear definitions of roles are developing within the hacking community forming a supply chain that starkly resembles that of drug cartels. The weapons of choice will be automated tools applied through botnets. Imperva recently tracked and analysed a compromise that affected hundreds of servers. The scale of this attack, and others like it, is enormous and would not be achievable without total automation.

A move from application to data security as cyber-criminals look for new ways to bypass existing security measures and focus on obtaining valuable information.

Increasing attacks through social network sites where vulnerable and less technically savvy populations are susceptible to phishing attacks and malware infection.

An increase in credential theft/grabbing attacks. As the face value of individual credit card records and personal identity records decreases (due to massive data breaches) attackers look at more profitable targets. Obtaining application credentials presents an up sell opportunity as they provide a greater immediate value to stolen data consumers up the food chain.

A move from reactive to proactive security as organisations move from sitting back and waiting to be breached, to actively seeking holes and plugging them as well as trying to anticipate attacks before they come to realization.

Amichai Shulman, Imperva’s Chief Technology Officer, advises application owners to get their act together and tackle these trends head on. His key recommendations for focus come January 1, 2010 are: “Organisations serious about protecting data will need to address not only the application level but also at the source of data. This will mean introducing of new technologies including a Database Firewalls, File Activity Monitoring, and the next generation of DLP products. These tools should also be combined together with other technologies such as Web Application Firewalls and classic DLP solutions to allow organization to keep track of dataflow across the enterprise from source to sink. I see the automation of hacking as a major issue and technical measures will be needed to combat this trend. Organisations must look to integrate their protection tools with proactive security measures, admittedly not readily available today, however the security community is currently developing solutions and these will become widely available over the next few years. The next decade must see the IT security industry rise up and stand shoulder to shoulder if it is to win the fight against cyber-criminals.”

So, what is facing UK organisations?

1: The Industrialisation of Hacking

There is a clear definition of roles within the hacking community developing, forming a supply chain that starkly resembles that of drug cartels:

Botnet growers / cultivators whose sole concern is maintaining and increasing botnet communities

Attackers who purchase botnets for attacks aimed at extracting sensitive information (or other more specialized tasks)

Cyber criminals who acquire sensitive information for the sole purpose of committing fraudulent transactions

As with any industrialisation process, automation is the key factor for success. Indeed we see more and more automated tools being used at all stages of the hacking process. Proactive search for potential victims relies today on search engine bots rather than random scanning of the network. Massive attack campaigns rely on zombies sending a predefined set of attack vectors to a list of designated victims. Attack coordination is done through servers that host a list of commands and targets. SQL Injection attacks, “Remote File Include” and other application level attacks, once considered the cutting edge techniques manually applied by savvy hackers are now bundled into software tools available for download and use by the new breed of industrial hackers. Search engines (like Google) are becoming an increasingly vital piece in every attack campaign starting from the search for potential victims, the promotion of infected pages and even as a vehicle for launching the attack vectors themselves.

In the last few days, Imperva tracked and analysed a compromise that affected hundreds of servers injecting malicious code into web pages, these were cross referenced with keywords that scored highly in Google search engine generating traffic and thus creating drive by attacks. The scale of this attack, and others like it, is enormous and would not be achievable without total automation at all stages of the process.

Organisations must realize that this growing trend leaves no web application out of reach for hackers. Attack campaigns are constantly launched not only against high profile applications but rather against any available target. An application may be attacked for the value of the information it stores or for the purpose of turning it into yet another attack platform. Protecting web applications using application level security solutions will become a must for larger and smaller organisations alike. End users who want to protect their own personal data and avoid becoming part of a botnet must learn to rely on automatic OS updates and anti-malware software.

2: A Move from Application to Data Security

The effectiveness of network layer attacks has decreased dramatically in this past decade largely due better network layer defences. This gave raise to application level attacks such as SQL Injection, Cross Site Scripting and Cross Site Request Forgery.

As these are being gradually addressed by the use of web application firewalls, attackers will turn their attention to more sophisticated attacks either from the outside (business logic attacks) or from the inside (direct attacks against the database). Together with the fast growth in the number of applications that access enterprise data pools these will drive the evolution of data-centric security.

While organisations invest in protecting their major applications using application level tools, many of the smaller applications are still unprotected. Additionally, we see no apparent decrease on the part of internal threats. Disgruntled employees, dubious individuals with internal network access and attackers who control (through Trojans) internal workstations all present a direct threat on enterprise data pools.

It becomes apparent to organisations that controls must be put not only around applications accessing the data but also around the data itself. This holds true to data in its structured format within relational databases as well as unstructured data stored in files on organisational file servers.

To protect these vital assets, Organisations must have a complete change of mindset focusing on protecting data at its source, regardless of the application accessing it, if necessary utilising a combination of technologies such as a data based firewall, data and file activity monitoring and the next generation of DLP products.

3: Mainstream Social Networks and Associated Applications

Previously attracting student communities, the growing popularity of social networking sites, such as Facebook, Twitter and LinkedIn is fast infiltrating mainstream populations with practically every man, and his dog, now ‘on Facebook’.

As a consequence, large populations not previously exposed to online attackers can now be targeted by massive campaigns. Elderly people as well as younger children, people who did not grow up with an inherent distrust in web content may find it very difficult to distinguish between messages of true social nature and widespread attack campaigns. Attackers will also take advantage of the social networking information made accessible by social platforms to create more credible campaigns (e.g. make sure you get your Phishing email from your grandchildren). The capabilities offered by the social platform and their growing outreach into other applications (webmail, online games) allow attacker to launch huge campaigns with a viral nature and at the same time pinpoint specific individuals.

Imperva’s team was able to demonstrate that specific ads carrying attack vectors could be presented to named individuals at an attacker’s will. This in turn allows attackers to easily get their foothold inside specific organisations by targeting individuals within those organisations. Much like searching through the Google search engine for potentials target applications, attackers will scan social networks (using automated tools) for susceptible individuals, further increasing the effectiveness of their attack campaigns.

“As social platforms grow at an exponential rate I find this problem to be one of the most challenging for us in the next decade. An entire set of tools that would allow us to evaluate and express personal trust in this virtual society are yet to be developed and put to use by platform owners and consumers. In the meantime, end users should rely on frequently updated anti-malware solutions as well as automatic security updates for their workstations. Organisations, who by now gave up on restricting the usage of social platforms from their enterprise networks, should emphasize the use of centrally managed anti-malware protection and secure surfing gateways.” comments Shulman.

4: Password grabbing/password stealing attacks

Recent statistics show a surge in personal information leakage incidents as well as the compromise of huge amounts of credit card numbers. Leakage incidents were attributed to either media loss (or theft) or deliberate attacks such as SQL injection or sniffing on internal transaction processing networks.

As stolen personal information is increasingly available, the price it commands on the black market is falling, thereby forcing attackers to seek more profitable data. To this extent, the last few months has seen hackers target application credentials. Application credentials hold more value for certain types of attackers as they can be further used in automated schemes. While fraud schemes involving stolen personally identifiable information (PII) usually require manual procedures, an attack that makes use of valid credentials for an online banking system can be fully automated. Even when considering manually executed fraud, it is evident that having multiple sets of valid credentials for an online trading application makes it much more easier than having the personal data of account owners. Of particular interest to attackers are credentials for webmail applications as these may further allow compromise of other credential sets through the password recovery feature of applications. This feature usually sends the credentials of an online application to an email account designated by the owner upon registration. Taking control of the email account (e.g. a Gmail mailbox) allows an attacker to collect owner credentials from a plethora of other applications. Worthy of mentioning is also the assumption that credentials used by a person for one application will serve that person on other applications as well. This assumption considers the human nature and the limited ability to remember multiple credentials. Thus, it is not uncommon for people to have the same username and password used for their Facebook account as well as their Twitter account and their Airline Frequent Flyer account.

Attackers use many different techniques for obtaining application credentials these include Phishing campaigns, Trojans and KeyLoggers on the consumer side and SQL injection, directory traversal and sniffers on the application end. Earlier this year the media became aware of a partial list of Hotmail user credentials traded on the net. The list contained a few thousand records and was probably obtained through KeyLoggers. Last week our research team became aware of 32 million webmail credentials (Gmail, Yahoo! and Hotmail) grabbed from one application through SQL injection.

Shulman comments “Consumers should protect themselves mainly from Trojan and KeyLogger threats by using the latest anti-malware software. Application owners can and should take many steps in order to protect credentials of their customers. Probably the most effective one is not storing clear-text passwords but rather their digested images. On top of that there are measures to protect the applications using web application firewalls and creating safer password recovery procedures.”

5: Transition from Reactive To Proactive Security

To date the security concept has been largely reactive - waiting for a vulnerability to be disclosed; creating a signature (or some other security rule) then cross referencing requests against these attack methods, regardless of their context in time or source. As a consequence a lot of resources are invested in distinguishing “bad” requests from “good” requests based on request content alone – a chore that is becoming more and more difficult due to advanced evasion techniques and sophisticated attack schemes. This in turn yields solutions that are forced to make difficult trade-offs between the rates of false detection and no detection.

Rather than waiting to be attacked, security teams must start to proactively look for attacker activity as it is being initialised over the network, identifying dangerous sources or malicious activity before it gets to attack a protected server and even establishing a defence against attacks before they become publicly disclosed by someone.

“We are seeing different projects world-wide approaching this problem from different angles. Projects like DShield (www.dshield.org), ShadowServer (www.shadowserver.org), commercial companies like Cyveillance and others, all try to create their networks of cyber-intelligence sensors. They gather information that can be used to create a real-time threat map from which actionable security policies can be created automatically in real time. Our own research activities into this domain show a lot of interesting data. We can daily detect a list of applications that are soon to be targeted by attackers. New attack vectors show-up in early stages, before they are massively used through botnets and recently active source of attacks are being revealed.” adds Shulman.

The online security community is in the early stages of digesting this information into actionable items. The future will reveal more offerings around IP reputation, early warning systems and other proactive tools. It will be at the hands of application owners and web application solution vendors to integrate with those tools to provide a proactive security suite for applications.

In conclusion, Amichai Shulman gives hope to those organisations daunted by the fight facing them “Do I believe this is a war we can win? With due diligence and good technology the odds are in our favour.” ”

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.


Mobile data problems? Switch to an encrypted hard drive says Origin

Basingstoke, December 2009 - Research just released by a major IT distributor, claiming to show that just 62 per cent of UK organisations were able to monitor when users copied or moved data from their firm's IT resource onto portable devices, comes as no surprise, says Origin Storage.

"The study claims that around 35 per cent of interviewees noted that their firms were also unable to track how data was being saved to a mobile device," said Andy Cordial, managing director of the storage systems integration specialist.

"Whilst it's interesting note that a sizeable number of organisations have some sort of solution in place to ensure lost or stolen portable devices do not present any risk to the company if they were to fall into the wrong hands, it's clear these guys haven't heard of the latest secure data storage technology," he added.

According to Cordial, as many respondents to the Bell Micro survey noted, most organisations do not have security solutions in place which are 100 per cent effective.

It's therefore hardly surprising that almost a fifth of interviewees described their current security solutions as poor, he explained.

But, the storage systems veteran went on say, PIN-protected portable hard drives are far more effective that the insecure USB sticks that most respondents to the survey were referring to.

Origin's PIN-protected Data Locker - which uses a hardware based encryption chip to seamlessly encrypt and decrypt user data using military grade AES/CBC mode encryption - means that information can be moved around securely and without any worries of interception.

The portable Data Locker, says Cordial, allows companies to store and protect all of their highly sensitive data and is vital piece of equipment for most companies.

The unit, he said, is the first device of its kind with PIN protection and AES hardware encryption.

"As illustrated by this survey, IT users are understandably concerned about the rash of high-profile data losses being reported in the media, and are also worried that their organisations cannot easily log what data is being moved around," he said.

"Using a secure and portable data silo like the Data Locker can secure data that needs to be moved and, since the system is so easy to use, can be employed by almost anyone in an office. If you add in suitable on-network logging software, you have an instant solution to the problems identified by this survey," he added.

For more on the distributor mobile data security survey: http://bit.ly/6HTn5G

For more on Origin Storage: http://www.originstorage.com


Hackers Claus havoc at Xmas – shows study!

London – December 2009 – As the holiday season starts to ramp up businesses are being warned about the need to secure their IT defences against the onslaught of hackers who are ready to take advantage of skeleton staff running IT departments over the holidays.

According to Michael Hamelin, chief security architect with Tufin Technologies, the security lifecycle management specialist the Christmas and New Year - holiday periods are the times when the heavy-duty hackers come out to play.

"And whilst you're doing your shopping or putting your feet up, our research shows that the would-be `Neos' of this world stop watching their DVD box sets of Matrix, and start hacking business computer systems," he said.

"Our survey of 79 hackers at the annual Defcon 17 event in Las Vegas back in August revealed that 81 per cent of the hackers view the holiday season as the ideal time for hacking business computer systems," he said.

Whether this is for mischief or criminal purposes, the effect is usually the same, said the security professional, adding that businesses come back to the offices after the holidays to find that the hackers have caused havoc with their IT systems, as well as gaining unauthorised access to the system's data.

Tufin's research revealed that 52 per cent of hackers said they preferred weekday evenings to gain unauthorised access to computer systems, whilst 32 per cent hacked away during weekday office hours, and just 15 per cent spent their weekend breaking into online systems.

"It's received knowledge in the security world that the Christmas and New Year season are popular with hackers targeting western countries," said Mr Hamelin, adding that hackers know this is when people relax and let their hair down, and many organisations run on a skeleton staff over the holiday period.

96 per cent of hackers in the survey said it doesn't matter how many millions a company spends on its IT security systems, as it's all a waste of time and money if the IT security administrators fail to configure and watch over their firewalls.

86 per cent of cracker respondents felt they could successfully hack into a network via the firewall; a quarter believed they could do so within minutes, 14 per cent within a few hours.

Just 16 per cent, meanwhile, said they wouldn't hack into a firewall even if they could.

"This may be stating the obvious," said Hamelin, "but poorly configured firewalls remain a significant risk for many organisations."

"It's not the technology that's at fault, but rather the configuration and change control processes that are neglected or missing altogether," he explained.

"Best practice suggests you should test and review your firewall configuration regularly, but many organisations fail to do so," he explained.

Validating the frustrating gap between compliance and security, 70 per cent of the hackers interviewed said they don't feel that regulations introduced by governments worldwide to implement privacy, security and process controls have made any difference to their chances of hacking into a corporate network.

Of the remaining 30 per cent, 15 per cent said compliance initiatives have made hacking more difficult and 15 per cent believe they've made it easier.

Tufin is offering some useful recommendations to make sure you don't become a hacking victim over the Christmas and New Year break:

1) Always test the firewall before holidays. Review and remove any unnecessary rules and objects, as Tufin's experience has shown that many of the firewalls tend to offer functionality that was not being used or intended. A test of the gateway and the firewall will reveal the services in use, which can then be reviewed and removed as required.

2) Restrict firewall services to authorised IP addresses. Restricting services offered to only authorised address ranges effectively hides their presence to the Internet, whilst at the same time still enabling the service to be used by intended users.

3) Apply latest relevant patches and workarounds Attackers are often able to profile the firewall and VPN location and type based on the default ports in use. It is a high priority to keep a disciplined approach to patch updates.

4) Enforce session logging and alerting to detect attacks. Log and alert any and all failed port scans or attempted connections to VPN and firewall management ports. This will help to detect potential hacker attacks and take preventative action.

5) Spring clean your firewall policy. If any default ports are detected, organise a spring clean of the firewall policy configuration to ensure there are no hidden errors resulting from a default installation.

6) Set a limit on the number of failed authentication attempts. Lock out an account and raise an alert flag after a set number of failed authentication attempts.

And on a lighter note………….

7) Don’t open up those “home shopping services” to help your colleagues get their shopping done on time.

8) Just because it’s Christmas does not mean that you should throw out the rule book about opening “presents” from anonymous donors.

9) Don’t invite strangers into your network during the annual Christmas party.

10) It’s not the season of goodwill to ALL men so don’t leave backdoors unlocked!

Tufin™ is the leading provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. Tufin's products SecureTrack™ and SecureChange™ Workflow help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 400 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. A respected member of the network security community, Tufin partners with leading vendors including Check Point, Cisco, Juniper, Fortinet and F5, and is committed to setting the gold standard for technological innovation and dedicated customer service. For more information visit www.tufin.com, or follow Tufin on: Twitter at http://twitter.com/TufinTech,

LinkedIn at http://www.linkedin.com/groupRegistration?gid=1968264,

FaceBook at http://www.facebook.com/home.php#/group.php?gid=84473097725

The Tufin Blog at http://tufintech.wordpress.com/

The Tufin Channel on YouTube at http://www.youtube.com/user/Tufintech


Christmas shopping period worst time for leaving mobile devices in the back of cabs – warn London cabbies

Almost 60,000 mobile phones are left in London taxis every six months – but build up to Christmas is the worst time

London, 2009 – London cabbies warn that the time around the holiday season is the worst time of year for leaving mobile devices such as phones, laptops and USB sticks in the back of their cabs as busy shoppers jump in and out of their cabs with their hands full of Christmas shopping.

According to the regular taxi survey organised by Credant Technologies, Londoners forget on average around 10,000 mobile phones a month (almost one every two months per taxi) in the back of taxis, and more than 1,000 other handheld devices, including iPods, laptops and memory sticks, every month.

The taxi survey – which is carried out in London amongst licensed taxi drivers – seeks to gauge the frequency and ease with which mobile devices are lost in transit.

The study also highlights the fact that if you travel in taxis or other forms of public transport, then you need to encrypt your data so no one can see it. At the very least, you should password protect your data since, as various high-profile cases have shown in the last few years, it could easily fall into the wrong hands.

Steve McMenara, a spokesperson for TAXI, which is a magazine published by the Licensed Taxi Drivers Association, said: “It’s a known fact that this is the worst time of year for forgetting `property’ at the back of cabs, but especially mobile phones and laptops as they slip onto the floor or get forgotten on the seats as passengers rush onto their next destination with their hands full. More people travel into London to buy their Xmas presents during this period who are not regular cab users, they hop a cab to get back to their train stations – and it’s always about an hour later we get a panicked call on their mobile phones asking for them to be returned.”

This warning message to the business community – as well as individuals - to be vigilant when travelling with their mobile devices has never been more relevant, especially as more people than ever before are using the latest range of 'must have' mobile smartphones to store sensitive personal and business information.

Many of these devices now have the capacity to store as much as 4,000 pictures, 20,000 Word documents, 200,000 emails or an amazing 500,000 contact files, making them an obvious target for identity theft criminals and hackers who can – and do - steal this information and then assume the identity of the user both in their personal and business life.

Sean Glynn , vice president with Credant Technologies said: “We carry out our taxi survey regularly and it’s clear that none of us are infallible, especially at this busy time of year, when it’s all too easy to forget things when you’re travelling.”

“Back in the good old days when a Window was something you looked out of, and a Mac was something you wore in the rain, it used to be small items like brollies and briefcases stuffed full of boring office papers. Now it’s laptops, smartphone’s and thumb drives, all chock-full of valuable information to an identity thief,” he added.

“This time of year would appear to be the worst time of year for leaving things at the back of cabs – so our advice is to be more cautious than ever and, as the voice on the train always tells us: check you have all your belongings with you before you leave.”

“And if you don’t want to worry about the consequences of losing your mobile – with all those embarrassing text messages and pictures - or laptop with valuable personal and company information – then protect that data using encryption and/or passwords. The technology is available, so why not use it?”

Taxis are a safe place to lose your mobiles

If you are to lose your mobile phone or other mobile device then there’s no better place than the back of a London taxi to lose it, with 80% of the cabbies claiming that their owners were reunited with them once they found the device at the back of the vehicle.

In a parallel survey which was carried out in the New York, researchers found that the chances of getting your mobile device back was less than in London, with 66% of the cabbies handing them into the depots at the end of the day.

Not just mobiles forgotten…but diamonds, a baby, a sawn off shotgun, 12 dead pheasants, 2 dogs, 1 cat, toilet seats and funeral ashes …

Over the last few years of the taxi survey, cabbies have recalled – with some amusement – a variety of strange and unusual objects in the back of their cabs at the end of the shift.

These have included a wedge of money that came to £2,700 – and which found its way back to its rightful and presumably very happy owner – 12 dead pheasants and a casket of funeral ashes, to mention but a few. And that is before we get to the cabbies that found items such as false teeth, artificial limbs, pork chops and a bra in the back of their taxi!

Forgetfulness also happens to the rich and famous

One lady taxi driver recalls an incident a few years back when she got a nice surprise, after she found that Jemima Khan had forgotten her iPod, mobile phone and purse and left them in the back of her cab.

When she got a phone call to return it to Jemima’s friend, she was delighted that the friend turned out to be none other than movie star Hugh Grant, who kindly gave her his autograph as a thank-you.

So, if you don’t want to risk a virtual custard (or should that be blackberry?) pie in the face from family, friends or employer, heed the message and protect both your device and yourself.

Box Out

Credant Technologies suggest some things you can do to make sure if you do lose your mobile phone, smartphone or other mobile device such as a laptop you don't lose your entire personal and corporate identity with it?

Tip One - Back-up your mobile device regularly.

Tip Two – If you have important and sensitive company data on your mobile device get your IT department to encrypt it - they can do this remotely – meaning only you can read it!

Tip Three - Use a strong password on all your devices which combine numbers, letters and symbols.

Tip Four - Put your name and number with details of a reward on your device if found and returned.

Tip Five - Use your devices security features - such as the Personal Identification Number (PIN) number which only you know to stop others getting access to it!

Tip Six - Use your head - don't keep data on your laptop or mobile phone that others could use against you - such as revealing pictures.

Tip Seven - Don't save old SMS or emails on your handset that you don't need anymore - you'd be surprised how many people keep their default password emails on their mobiles and other hugely sensitive information like PINs, bank account details or passwords!

Tip Eight - Check your message folders such as drafts, saved and outbox as there will be lots of information you just don't need to keep there. Look at your call list - delete any numbers you no longer need.

Tip Nine – Physically mark your handset with personal information. This will greatly reduce the second-hand value of the mobile if it is stolen.

Tip Ten - Record your IMEI: Every mobile phone has a unique 15-digit electronic serial number that can be referenced by dialling *#06#.

Tip Eleven – Notify your network carrier AND the police immediately in the event of loss or theft. Tell them your IMEI number and any other identifying features on your phone. (PS – If the device contains company data – emails, customer or employee records, documents, etc. – inform your employer also. You/They may be required to inform the appropriate authorities or a potential data breach).

Tip Twelve - Don't leave your device open to access (e.g. leaving Bluetooth or WiFi on, visible and unsecured).


Infosecurity Europe 2010 Hall of Fame nominations now open

-- "No need for a mention in the next novel by Dan Brown"

A century after Johannes Diderik van der Waals won the Nobel Prize for Physics - for his work on the equation of state for gases and liquids in 1910, in case you were wondering - nominations are now open for the IT security equivalent of the prestigious prize.

History may have forgotten Mr van der Waals, but there can be no doubt that the accolades he received from his peers will be similar to the accolades that the winner of the Infosecurity Europe 2010 Hall of Fame will receive in our industry.

And with previous winners that included David Lacey, Professor Fred Piper, Professor Howard Schmidt, Bruce Schneier and Phil Zimmerman - the latter pair even meriting a mention in the novel The Da Vinci Code - now is your chance to influence IT security history.

Infosecurity Europe 2010 is proud to once again host the Hall of Fame in the Keynote Theatre, where internationally recognised inductees will be sharing their expertise.

Whilst it's debatable whether the winner of the 2010 award will get the honour of a mention in a popular novel as Bruce Schneier and Phil Zimmerman did, there's a very strong chance they will get the appreciation they deserve from the modern IT security community.

In order to nominate some to the Hall of Fame, candidates must meet the following criteria:

* Be an internationally recognised and respected Information Security practitioner or advocate

* Have made a clear and long-term contribution to the advancement of Information Security

* Have provided intellectual or practical input that has shifted the advancement of Information Security

* Be an engaging and revolutionary thought leader in Information Security

"Whilst a mention in the next Dan Brown novel isn't mandatory for a nomination in the above criteria list, we think the 2010 winner of the Infosecurity Europe 2010 Hall of Fame award will be someone the industry can look up to," said Tamar Beck, Group Exhibition Director, Infosecurity Europe.

To make your nomination to the Infosecurity Europe 2010 Hall of Fame visit www.infosec.co.uk/fame

Infosecurity Europe, celebrating 15 years at the heart of the industry in 2010, is Europe’s number one Information Security event. Featuring over 300 exhibitors, the most diverse range of new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe. Organised by Reed Exhibitions, the world’s largest tradeshow organiser, Infosecurity Europe is one of five Infosecurity events around the world with events also running in Belgium, Netherlands and Russia. Infosecurity Europe runs from the 27th – 29th April 2010, in Earls Court, London. For further information please visit www.infosec.co.uk


'EastEnders' laptop theft highlights failure to encrypt data say IT security experts

by Michael Smith (Veshengro)

The recent reports that a laptop containing the Christmas scripts for BBC TV's long-running EastEnders soap could cost the corporation dearly, warns Credant Technologies, the end point data protection specialist.

"Whilst it sounds an amusing tale, the fact that the laptop was stolen during a burglary brings the theft of the laptop firmly into focus. It shows that laptop thefts can occur anywhere and at any time - and that companies need to be aware of this issue," said Paul Huntingdon, Credant's UK director.

"The danger here is that the plotline for the Christmas episodes will leak out before Christmas and reduce the soap's viewing figures, almost certainly to the benefit of other broadcasters," he added.

What is potentially worse, he went on to say, is that, if the scripts do fall into the wrong party's hands - perhaps by being posted on the Internet - then a third party could profit from the situation, without any money going to the BBC coffers.

Imagine, he explained , if this script loss had occurred to ITV and the Christmas scripts to Coronation Street or Emmerdale were leaked - this could cost ITV real revenue in advertising terms, as the advertisers would almost certainly demand some of their expensive Christmas ad payments back.

More than anything, the Credant director said, this shows how a failure to encrypt the data on a laptop that is subsequently stolen can have potential direct and indirect revenue consequences.

"It remains to be seen what the BBC will do about the script losses in the longer term, but I wouldn't be surprised to see threats of legal action flying around if the scripts do

find their way into the public domain," he said."

And a legal action that claims compensation for a failure to protect a laptop's data could be very interesting from a security perspective. It might even wake up a few corporate minds who have ignored the security issues with portable PCs, and that's no bad thing," he added.

I must says that it keeps amazing me that people just have not protection on their computers that will make any such theft useless and better still to have sensitive data such as that on an external hardware encrypted device which will prevent unauthorized access.

When the child has fallen into the well it is – generally – a little late to put a cover on the thing and the same is also when stuff gets lost or stolen.

I believe we all remember the British secret service agent who left an ordinary USB stick with all the data on the anti-drugs operation they were running in Colombia at a railroad station.

For the price of less then US$ 20 (for the cheapest encrypted devices), compared to the US$5 for the unencrypted kind, an entire operation was compromised. But this keeps going on and on and, it would appear, no one learns.

For more on the EastEnders' Christmas script laptop theft: http://preview.tinyurl.com/yz6be6k

For more on Credant Technologies: http://www.credant.com

© 2009


Cloud vs conventional storage and computing in general

by Michael Smith (Veshengro)

Computing in the cloud and cloud storage is presently, in Fall/Winter 2009, and has been for a year or so, being touted as the bees' knees for “general” computing, storage and collaboration.

Web 2.0 has been around for a while now but as far as I am concerned – and i do believe that I am not alone in this here – there are still way too many security and personal privacy implications as well as implications of ownership.

Coming from a background of security and privacy cloud computing in any shape or form does not instill confidence in me as yet as regards to data security, safety, privacy and access. Especially not when considering that some providers reckon that when I use their service I grant them copyright to all of my material.. Erm, sorry, but I do not think so.

As far as ownership is concerned, as indicated in the previous paragraph, the likes of Google and others in their EULA state explicitly that by using the service provided by them the user signs over copyright to any and all materials stored in the cloud to the service provider to use by them as the service provider sees fit.

While this appears to be seen by the providers as a “joint copyright” after the event, as far as I am concerned, if I wrote an article or a book or a paper it is my copyright and not one that of, even in a shared ownership, Google or some other provider.

The other concern as far as the “cloud” goes is what happens top the material stored there if a service provider folds.

This concern is, I guess, more applicable to “free” services rather than to “paid for” ones but, nevertheless, it could happen there also. What then?How do you get your material back?

What redress does a user have if data is lost, and this is a discussion that seems to be going on in various quarters as of Fall 2009, and one that I can but feel with too.

Therefore, I must say that, as far as I am concerned, for a variety of reasons, privacy, security and ownership being the prime concerns, I will not be using cloud storage per se. I see too many problems there and too many possible pitfalls.

© 2009


USBs : An Employees Dream- IT’s Worst Nightmare

Define and Enforce an Effective IT Security Strategy or Risk Exposure

By John Jefferis, Vice President, Ironkey

USB drives, or memory sticks as they are sometimes referred to, are immensely popular and increasingly selected as the weapon of choice by employees looking for flexibility of their working environment. Having proved invaluable in increasing productivity they are easy to use, regardless of the user’s technical ability, and able to carry millions of pages of data. The scenarios where they bring benefits are numerous, for example working from home, working on location at a client site, those using multiple computers, when travelling they can provide a means to back up your lap top, transfer information between your portable devices, and sharing data with customers at conferences or exhibitions, to name just a few. However, a word to the wise - this productivity comes at a cost higher than the original price tag.

These dream devices are proving an absolute nightmare for IT managers as they struggle to ensure the data they carry is secure. A standard DVD-data-sized (4GB) key fob drive can be bought online for less than ten pounds and from high-street retailers for little more. Coupled with the fact that a growing number of mobile phones and MP3 players are now starting to reach this level of storage capacity - and come with standard or mini-USB connectors, and you begin to understand the scale of the problem.

One serious risk is that of being lost or stolen as highlighted in an annual national independent study conducted by Ponemon Institute into ‘Trends in Insider Compliance with Data Security Policies’. In its most recent study (published June 2009) it discovered that 43% of respondents admit to having lost or had stolen a portable data-bearing device. Another increasingly apparent issue is that of spreading viruses and malware. This was aptly illustrated by Ealing Council who revealed in September that it was forced to cut internet and phone links to preserve “core systems and data” when a worker plugged an infected memory stick into a computer in May 2009. The sophisticated virus spread rapidly, with further shutdowns required when the network was re-infected twice the next week, with all terminals having to be rebuilt or replaced. The Council is faced with a £501,000 bill for the emergency recovery and in lost revenue but it is feared the final cost could top £1.1 million if a new computer security system is needed. This is not an isolated incident and, in fact, was virtually the same as that suffered by Manchester City Council in February.

However, both of these risks can be counterbalanced by defining an effective IT security strategy. Here’s how:

Step 1: Ban Staff Using Unprotected Sticks and Uncontrolled Devices

In the first instance, companies should bar staff using vanilla (i.e. unprotected) USB sticks onto company premises, or use them on work-at-home PCs if company data is involved.

Step 2: Give Them Something They Can Use

Employees want to use them so remove the allure of vanilla sticks and provide an authorized corporate secure USB storage device. Increased productivity should compensate for the initial outlay and using a pooling system will help keep a lid on costs. By definition secure means a USB stick with a degree of security intelligence built into it. This intelligence is quite benign and sensible, typically including on-board anti-malware and virus software - updated across the Internet each time the device gains access.

Step 3: Induction

If you don't already have a staff induction course, you need one, as all sorts of company legislation needs to be explained to new employees, as well as temporary workers from agencies. An important part of the process is to familiarise all employees of security policies. It is worth stating that any amendments to the security policy, and any other policies for that matter, should be communicated to existing employees with a method for tracking those that have been made aware of the change - ignorance shouldn’t be used as a defence.

Step 4: Education versus Draconian

Rather than ‘because I said so’, all mandates should include an educational element so as not to be viewed as a pointless exercise created by those who ‘don’t understand how we work’. Explaining the reasoning behind rules will often gain employees support as they can follow the impetus behind the instruction rather than simply wishing to circumnavigate the obstruction.

Step 5: Identify What’s Out There

It's vital to use on-network/IT resource technology that analyses new devices as they are hooked up to the company system and lock out any unauthorised device. No exceptions, even for the MD.

Step 6: Manage Centrally

All devices should be involved in a remote portable device scheme, whereby portable devices are updated with IT security policies and checked for general well-being as they connect to the company IT resource - directly, or across the Internet. A reputable IT security system will include the remote management and tracking of secure intelligent flash drives, and also include the ability to recover content, reset a password and re-deploy or destroy data on a device as and when required. It's often this remote control facility that proves a serious lifesaver for staff and management, as USB sticks and portable storage devices can throw a wobbly.

Step 7: Back Up

Finally, you'd be surprised how many people rely on these devices yet fail to take a back-up - even though their desktop or laptop PC is backed up automatically and regularly.

In an ideal world, all staff would understand the need for IT security, and backups for that matter, but life’s too short, and some staff, let's face it, have other priorities in life. They - and we - are only human after all. This is where an effective IT Security Strategy that utilises automated security management of portable storage devices, as well as other on-network resources, is so critical. Good management software operates unobtrusively in the background.

We can't all be super-tech-savvy Tom Cruise in Mission Impossible, but we can use our IT resources sensibly and comply with best practice, without having to worry about it. That's what differentiates a good IT security strategy from an effective one.

Ironkey is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

IronKey's award-winning products and services combine the world's most secure flash drive with the world's most powerful USB management software. IronKey's USB flash drives bring the power of authentication, encryption, identity management and privacy to businesses and consumers in 23 countries. IronKey's management software and associated services allow enterprises of all sizes, government agencies, the military, and other organizations to take back control of the mobile data that has been leaking out of their organizations due to the uncontrolled proliferation of USB drives.


A third of workers will Steal Data to help a friend find a job says study

41% already have taken data just in-case they themselves get the boot with the majority admitting it’s easy to do so with employers doing little to stop them!

(Eskenzi PR) - The recession is creating camaraderie amongst workforces, at the expense of their employers, is the finding of a transatlantic survey.

Carried out amongst 600 office workers in Canary Wharf London and Wall Street New York 41% of workers have already taken sensitive data with them to their new position, whilst a third would pass on company information if it proved useful in getting friends or family a job.

Pilfering data has become endemic in our culture as 85% of people admit they know it’s illegal to download corporate information from their employer but almost half couldn’t stop themselves taking it with them with the majority admitting it could be useful in the future! However, it would seem employers have only themselves to blame as they appear pretty lackadaisical when it comes to protecting their data from their employees with 57% of respondents stating that it’s become a lot easier to take sensitive information from under their bosses noses this year, up from 29% last year.

The survey entitled “the global recession and its effect on work ethics”, carried out for a second year in the US and UK by Cyber-Ark – the Privileged Account Management specialists, found that almost half of the respondents 48% admit that if they were fired tomorrow they would take company information with them and 39% of people would download company/competitive information if they got wind that their job was at risk. Additionally a quarter of workers said that the recession has meant that they feel less loyal towards their employer.

It would seem that desperate times call for desperate measures as workers are also prepared to do almost anything to keep their jobs. In the UK just over a quarter of employees are prepared to work 80 hours a week to keep their jobs which is surprisingly higher than our US counterparts with just 12% in the US suggesting they would work that much harder to keep their job. Conversely, it’s interesting to note that 20% of UK workers are prepared to take a salary cut to keep their jobs compared with a staggering 50% of US workers.

Of those that plan to take competitive or sensitive corporate data, 64% will do so ‘just in case’ it were to prove useful or advantageous in the future, 27% would use it to negotiate their new position, while 20% plan to use it as a tool in their new job.

Top of the hit list is customer and contact details – 29%, then plans and proposals – 18%, with product information bringing up the rear – 11%. What is cause for alarm is the 13% of savvy pilferers who would take access and password codes as, with this information, they can still get into the network once they’ve left the company and continue downloading information and accessing whatever they want or need.

32% revealed that they would do their utmost to take a peek at the redundancy list to find out if their name was on it, choosing to bribe a mate in the HR department first - 43%, followed by using their own IT access rights to snoop around the network – 37%, and if this failed they would get a mate in the IT department to try and get the inside track – 30%!

Mark Fullbrook, UK Director of Cyber-Ark explains, “While we are seeing glimmers of hope in the UK and US economy, clearly employee confidence has been rocked. This survey shows that many workers are willing to do practically anything to ensure job security or make themselves more marketable – including committing a crime. While there is no excuse for employees who are willing to compromise their ethics to save their job, much of the responsibility for protecting sensitive proprietary data is the responsibility of the employer. Organisations must be willing to make improvements to how they monitor and control access to databases, networks and systems, even by those privileged users who have legitimate rights. Additional protection can be added with simple steps like frequently changing passwords and only granting access to certain information on-demand.”

The weapon of choice which people would use to download information onto remains a USB or memory stick, then printing it out onto paper, followed by emailing it to oneself comes a close third. The most astonishing statistic is that people in the UK are now less worried about their losing their jobs – 26% compared with 46% in 2008, or perhaps those that were worried are no longer employed to answer this year!

Summary of Findings

41% of workers admit they have taken company data with them to get their next job.

1 in 3 would download company data to help a friend or family get a job.

Most use USB sticks to take information 41%, followed by paper, then emailing it to themselves.

Quarter of workers in Canary Wharf would work 80 hours a week to keep their jobs compared with 12% in Wall Street New York.

20% of workers in Canary Wharf would take a salary cut to keep their jobs compared with 50% of their US counterparts.

39% of workers would take company data if they thought their jobs were at risk.

When asked why they would take data, 64% said just in case it helped them in the future, 27% would use the information as a negotiating tool in interviews and 20% would use it in their new job.

57% say it’s easy to take sensitive data from their companies, last year only 29%

admitted it was easy.

Favourite information to steal is customer & contact details, followed by plans and proposals, then product information. 13% would take access & password codes as this would allow them access to information whenever they wanted it.

Workers are far less worried about the security of their jobs compared with this time last year, with 26% admitting they are nervous about their jobs compared with 46% last year.

85% believe it is illegal to download company information.

A quarter of workers feel less loyal towards their employers because of the recession.



Media Giant’s Trusted Security Partner Ranks Tufin As Best in Class for Policy Analysis, Rule Clean up and Optimization; Deployment Significantly Reduces Firewall Management Burden

Ramat Gan, Israel, December 2009 - Tufin Technologies, the leading provider of Security Lifecycle Management solutions and Nebulas Solutions Group today announced Virgin Media, as a joint customer. As part of an overall network infrastructure improvement program Virgin Media turned to Nebulas Solutions Group to source a more resilient, efficient firewall infrastructure. Knowing that bloated rule bases are a major source of inefficiencies Nebulas underwent a rigorous evaluation process and selected Tufin SecureTrack, to identify obsolete, redundant and unnecessary firewall rules. By implementing SecureTrack, Nebulas enabled Virgin Media to enhance Firewall CPU and memory performance by 15 percent and reduce the management load by 30 percent.

“One of the reasons we chose Nebulas to be our exclusive security partner is the value they add with product analysis and testing - its views are based on product integrity not just whether they are resellers for a particular product,” said Colin Miles, UK Corporate Network Manager, Virgin Media. “Its assessment of Tufin SecureTrack was spot on – it has dramatically improved firewall performance, maximized the longevity of our current infrastructure and given my team back about 30 percent of their day.”

Virgin Media is the UK’s leading entertainment and communications company, and employs 20,000 people distributed across 800 UK sites. Virgin Media’s Check Point and Nokia firewall infrastructure was ageing; some hardware had been installed for almost a decade and needed updating. Firewalls were also not running the most up-to-date versions of code, which had a negative effect on both performance and security. Additionally, a specific cluster of firewalls in a data centre was experiencing serious stability problems, which seemed to stem from the firewall rule base, which was double the size recommended by the firewall vendor.. The load on CPU and memory were causing frequent failures of service and resulted in change windows shifting to non-business hours to avoid additional downtime, over-extending the operations team.

Nebulas Solutions reviewed several products to help Virgin Media tackle the unwieldy rule base and manage it more efficiently in the future. The rigorous evaluations consisted of a written review of three solutions based on rule cleanup capabilities, firewalls supported, cost, and ease of use. Tufin SecureTrack was the strongest across fronts and after a highly successful trial, Virgin Media deployed SecureTrack, to analyze rule and object usage and clean up unused rules without disrupting business operations.

“Virgin Media’s experience validates what we hear across our customer and partner base – that SecureTrack provides immediate, dramatic, and quantifiable value,” said Ruvi Kitov, CEO, Tufin Technologies. “As a result, we have developed strong customer and partner relationships that fuel our ongoing innovation. We are delighted to add Virgin Media to our roster and look forward to a long and fruitful relationship with Nebulas and Virgin Media moving forward.”

A detailed case study on Virgin Media’s SecureTrack deployment is available for download at http://www.tufin.com/downloads/tufin_virgin_media_case_study_en.pdf.

Tufin SecureTrack™ is the market-leading Security Lifecycle Management solution. SecureTrack enables organizations to enhance security, reduce service interruptions and automate day-to-day tasks through powerful firewall management capabilities and reporting. SecureTrack helps security operations teams to control and manage policy changes, analyze risks, and ensure business continuity and allows managers to easily understand the big picture and align operations with corporate and government security standards.

Tufin Technologies is the leading provider of Security Lifecycle Management solutions that enable large organizations to enhance security, ensure business continuity and increase operational efficiency. Tufin's products SecureTrack™ and SecureChange™ Workflow help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin now serves more than 400 customers around the world, including leading financial institutions, telecom service providers, transportation, energy and pharmaceutical companies. For more information visit www.tufin.com, or follow Tufin on:

Twitter at http://twitter.com/TufinTech,

LinkedIn at http://www.linkedin.com/groupRegistration?gid=1968264,

FaceBook at http://www.facebook.com/home.php#/group.php?gid=84473097725

The TufinBlog at http://tufintech.wordpress.com/

Nebulas Solutions Group is a security, acceleration and virtualisation specialist.
The Group offers sophisticated technology solutions, consultancy and implementation expertise to help organisations address their key business issues of data security, acceleration and availability. Nebulas Solutions Group comprises three divisions: Nebulas Security is the UK’s leading provider of IT security, data privacy and compliance solutions. Nebulas Xcelerate provides leading WAN optimisation and applications acceleration solutions and Nebulas Virtualise offers market leading virtualisation solutions. The Group’s combined expertise ensures that organisations can maximize the performance, efficiency and security of their IT infrastructure, as well as reducing operating costs. Based in London, Nebulas Solutions Group has more than 200 customers worldwide, including many blue chip and FTSE 250 organisations. For further information, go to www.nebulassolutions.com


DeviceLock now thwarts data leakage via iPhone and Blackberry local syncs

Moscow, Russia – November 2009 – DeviceLock, Inc., a worldwide leader in endpoint data leak prevention software solutions, today announces that version 6.4.1 of its DeviceLock® software now delivers highly granular, interface-independent control over local data synchronisations between iPhone® and iPod® touch mobile devices and corporate endpoint computers like desktops and laptops. DeviceLock 6.4.1 also includes device presence detection, access control and logging for BlackBerry® devices.

With iPhone and BlackBerry support, DeviceLock delivers an unprecedented level of control for local synchronisation between DeviceLock-protected computers and most popular business-level smartphones including Windows Mobile®, Palm®, iPhone, and BlackBerry platforms.

“There are many legitimate reasons for an employee to connect a smartphone to their office PC and run a local synchronisation for data transfer. However, anyone with an illegitimate purpose in mind, like data theft, knows that such transfers completely bypass the corporate network and cannot be controlled by network-based security solutions,” explained Ashot Oganesyan, DeviceLock CTO and Founder. “An all-or-nothing approach – when all smartphones are either allowed or prohibited to sync locally with a particular computer – is too risky. The ‘all’ setting risks security, the ‘none’ productivity. You need a means of defining and enforcing permissions on a more flexible, granular basis. Our customers already count on DeviceLock for permissions-based management of removable storage devices, so it’s a natural extension to cover local syncs by smartphone platforms. With DeviceLock in place, organisations can impose a “least privilege” mobile device policy that limits data exchanges to only specific smartphones and to only the types of data required for an employee to carry out their business duties.”

Featuring a patent-pending local synchronisation filtering technology, DeviceLock gives security administrators the ability to centrally control which types of data specified users or their groups are allowed to synchronise between corporate computers and locally connected mobile devices including Windows Mobile, Palm, iPhone, and iPod. In addition, device presence detection, access control and event logging is also supported for BlackBerry® smartphones.

For Windows ActiveSync®, Windows Mobile Device Center, HotSync® and iTunes® protocols, DeviceLock can recognise and filter numerous data object types, empowering administrators to selectively allow or block the synchronisation of files, emails, email attachments and accounts, contacts, tasks, notes, calendar items, bookmarks, and various media types. For Windows Mobile devices, permissions can also be defined for remote installation and execution of applications.

Time or schedule-based policies, as well as data flow direction control can also be enforced for local synchronizations to allow corporate security policies to be more flexible, precise and dynamic. DeviceLock detects the presence of any supported mobile device regardless of its connection interface. Smartphones that connect through a USB interface can be identified and white-listed with fine granularity, even down to the level of a unique device.

For organizations of any size and industry, DeviceLock software proactively protects endpoint computers against local data leaks and malware infiltration resulting from insider negligence, accidental mistakes or malicious actions. It enables IT security personnel to precisely control, log, shadow-copy and audit end-user access to all types of local ports and peripheral devices, including personal mobile devices, as well as local and network printers. Complementing its port, device, and data channel-based controls with data type-level security, DeviceLock supports true file type detection and filtering. This function works by intercepting any file system’s read/write operations with peripheral devices, performing real-time analysis of the entire binary content of transmitted data, and enforcing applicable file-type based security policies. DeviceLock also integrates with leading encryption products from PGP, Lexar, SecurStar, and TrueCrypt in order to protect data on removable storage devices. In addition, DeviceLock blocks operations of USB and PS/2 hardware keyloggers.

DeviceLock provides scalable, centralised, and easy-to-learn management and administration via a Microsoft Management Console (MMC) that natively integrates with Group Policy Object Editor in Microsoft Active Directory. DeviceLock agents can be deployed, managed and administered completely from within an existing Microsoft Active Directory domain. A separate component, the DeviceLock Enterprise Server (DLES), is available for centrally auto-collecting audit and shadow data from managed endpoints. Highly-granular event logging and data shadowing configurations are supported for tracking and analyzing user actions on peripheral ports/devices, related system events and data transferred to peripheral devices. In addition, DLES can monitor remote DeviceLock-managed computers in real-time to check on agent status and policy template consistency. New in DeviceLock 6.4.1 is an optional add-on component for full-text search in the central shadowing and event log database – DeviceLock Search Server (DLSS). DLSS is aimed at making the labor-intensive processes of information security compliance auditing, incident investigations, and forensic analysis more precise, convenient and time-efficient.

Since its inception in 1996 as SmartLine, DeviceLock, Inc. has been providing endpoint device control software solutions to businesses of all sizes and industries. Protecting more than 4 million computers in over 60,000 organisations worldwide, DeviceLock has a vast range of corporate customers including financial institutions, state and federal government agencies, classified military networks, healthcare providers, telecommunications companies, and educational institutions. DeviceLock, Inc. is an international organization with offices in San Ramon (California, US), London (UK), Ratingen (Germany), Moscow (Russia) and Milan (Italy).