New TwinStrata and Scality partnership delivers turnkey private cloud storage solutions

NATICK, MA / SAN FRANCISCO, CA - November 30, 2010 - TwinStrata, Inc., the leading innovator in data protection and iSCSI cloud storage solutions, has integrated Scality's RING storage platform into its family of CloudArray® virtual and physical appliances. With the addition of Scality integration, CloudArray customers can now easily choose and deploy either a private cloud environment or connect with internationally available public cloud providers powered by Scality RING and receive off-site data protection and disaster recovery capabilities on a "plug-and-play" basis.

TwinStrata's CloudArray's "like local" performance, control, and policy-driven automation enables Scality customers to leverage the on-demand elasticity and adaptability of Scality's RING cloud storage through innovative asynchronous replication, in-cloud snapshots, dynamic caching, in-flight and at-rest encryption, compression, iSCSI, and continuous access to and control of data in the cloud. In the event of a disruption or an outage, data can be rapidly restored on-site, off-site, or in the cloud, providing secure, anywhere, anytime application and data accessibility.

Scality's RING software combines the storage capabilities of numerous x86 generic servers to deliver a storage cloud infrastructure with carrier-grade scalability, service availability and data reliability. Scality's RING enables a lower cost of ownership, while providing a very simple management interface where additional performance or capacity can be added or removed to meet customer needs with zero service interruption.

"One of the primary use cases of cloud storage is as a low-cost alternative tier of storage, allowing migration of less used data," said Gartner Research Director Adam Couture. "But whether you're talking public or private clouds, the challenge has always been integrating the cloud with traditional data center storage infrastructure."

Together, Scality RING and TwinStrata CloudArray solve this challenge by providing a low-cost cloud storage infrastructure along with plug-and-play access to traditional IT infrastructures for off-site data protection and disaster recovery solutions.

The benefits of using TwinStrata CloudArray with the Scality RING storage platform are many and include:

  • Minimal operational requirements, elastic scalability, and a self-healing architecture with volume management
  • Flexible and agile business continuity and disaster recovery capabilities
  • A simple, affordable, fast, and non-intrusive deployment model
  • Significantly reduced capex, opex, and management complexity
  • Access to public and private cloud infrastructures, hybrid models

"Businesses are seeking ways to cut costs without sacrificing the security and integrity of their critical data assets," said TwinStrata's CEO, Nicos Vekiarides. "CloudArray's built-in flexibility and security satisfy the most stringent data storage and protection policies imaginable. Our partnership with Scality provides a way for CloudArray end users to meet their data protection demands by leveraging an innovative, robust and economical cloud storage architecture."

Jerome Lecat, Scality's CEO, added: "Storing, backing up and archiving an always increasing amount of data without growing the cost is one of the biggest challenges for business IT today. Scality RING's patented, self-repairing storage architecture revolutionizes the enterprise world by delivering the unparalleled economics of the Cloud to every enterprise. Our partnership with TwinStrata offers enterprises an easy to deploy and secure solution to deal with critical data protection, email archiving and disaster recovery at a significantly reduced cost."

CloudArray, complete with Scality interoperability, is available from TwinStrata and through its network of partners. For more information, visit www.twinstrata.com/cloudarray, email sales@twinstrata.com or call 508-651-0199.

Scality is the developer of RING, a software platform enabling cloud storage to easily scale up to Exabyte's using commodity server hardware with direct attached storage. Scality is used by Service Providers to deploy Storage-as-a-Service offerings, by Email Providers to store emails for millions of users, and by web services managing billions of files with very high performance expectations, either for Web 2.0 or business applications. Scality RING is based on a patented object storage technology, which delivers high availability, ease of operations and total control of your data. Scality delivers the performance and reliability of a SAN- or NAS-based architecture without the hassles of volume management at one third to half of the cost.

As well as supporting a "no single point of failure" storage pool, the resultant cloud storage service is available 24x7 to end user businesses with no service interruptions whatsoever.

For more information please visit www.scality.com or follow Scality on Twitter: @Scality.

TwinStrata provides enterprise-class data protection solutions that are simple, affordable, and secure. These solutions leverage the scalability and efficiency of cloud storage while maintaining the availability, performance and security of local storage. The company's CloudArrayT software provides a substantial cost savings over traditional off-site storage solutions, with a pay-as-you-go grow model, unlimited elastic capacity, local performance, in-cloud snapshots, AES256 bit encryption, and on-site, off-site or in-the-cloud access to data. For more information about TwinStrata and CloudArray software, visit www.twinstrata.com or follow CloudArray on Twitter: @CloudArray

Source: Omarketing, for Scality

This press release is presented without editing for your information only.

TUFIN TECHNOLOGIES RANKS TENTH IN THE 2010 DELOITTE TECHNOLOGY FAST 500 EMEA

Recently Honored as the Second Fastest Growing Technology Company in Israel, Tufin’s Phenomenal Revenue Growth Leads to Top Spot on Deloitte’s EMEA Ranking

Ramat Gan, Israel – November 30, 2010 – Tufin Technologies, the market-leading provider of Security Lifecycle Management Solutions, today announced that it has ranked tenth on the 2010 Deloitte Technology Fast 500 EMEA, a ranking of the 500 fastest growing technology companies in Europe, the Middle East and Africa.  Having already ranked second on Deloitte Israel’s Technology Fast 50 ranking, Tufin’s phenomenal year-over-year growth - 5359% over five years – also landed it a top spot for the EMEA list, making its achievement even more noteworthy.

“Making the Deloitte Technology Fast 500 EMEA ranking is a testament to a company‘s commitment to technology,” said David Halstead, Deloitte United Kingdom and partner in charge of the Deloitte Technology Fast 500 EMEA programme. “Tufin’s top ranking in Israel – a country known for being a hotbed of technology innovation, combined with its number 10 rank in EMEA is an even stronger testament to its vision and ability to execute. Its incredible success in a difficult economic climate is a tremendous accomplishment for any technology company, and Tufin deserves full recognition for its accomplishments.” 

The Deloitte program is based on percentage revenue growth over five years and recognizes all areas of technology and includes both public and private companies.  Founded in 2005, Tufin has provided its 600+ customers with the ability to automate critical but highly error prone, manual network security processes, enabling them to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. Tufin’s products slash the time and cost of managing these processes by more than half – delivering a compelling value proposition in a fast-growing industry. 

To determine Tufin’s position on the list, Deloitte reviewed fiscal year revenues over five years (2005-2009), calculated the revenue growth percentage over five years, and compared it to the growth of participating technology companies, all of which held enough confidence in their financial prowess to invite close scrutiny of their economic performance.

“Tufin has been extremely fortunate to have developed the right set of solutions at the right time, and even more fortunate to have executed on the opportunity in a way that has sustained our growth,” said Ruvi Kitov, CEO, Tufin Technologies.  “Having this validated by Deloitte is an incredible honor and motivates us to work even harder to deliver our customers the most innovative, effective and useful solutions for managing network security operations.”

This prestigious honor is the latest in a series of accolades and honors Tufin has received throughout 2010.  In addition to landing the #2 spot on the Deloitte Technology Fast 50 Israel list, at the end of October 2010 Tufin SecureChange Workflow won Network Computing’s prestigious “Computing Security” award for Best Bench Tested Solution of the Year 2010, based on a standout review that appeared in the May 2010 issue.  In July it won a prestigious Stevie Award - “Innovator of the Year,” from the International Business Association, and in June it received a 5-star review (top rating) in SC Magazine of Tufin SecureTrack, its flagship firewall operations solution.  Earlier in the year, it received an honorable mention on StartupBusiness.com’s list of Hot 100 Startups and being named a Red Herring EMEA “Hot 100” finalist. 

This award dovetails with the general availability release of Tufin Security Suite (TSS) 5.2 - the latest combined offering of SecureTrack, its firewall operations, auditing and compliance product and SecureChange Workflow, its security change automation product. Featuring new network topology intelligence, multi-tenancy management, total support for Juniper Networks JunOS firewalls, enhanced Fortinet support, and automatic change verification, version 5.2 enables organizations to automate network security policy and change management at a much greater depth and breadth. Also generally available as part of the 5.2 offering is a custom solution for Managed Security Service Providers (MSSPs), that enables MSSPs to increase their service offerings and value-add to enterprise customers.

Tufin™ is the leading provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. Tufin’s award-winning products SecureTrack™ and SecureChange™ Workflow help security operations teams to manage change and perform reliable audits while dramatically reducing manual, repetitive tasks through automation. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 600 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. Tufin partners with leading vendors including Check Point, Cisco, Juniper Networks, Fortinet, F5, Blue Coat, McAfee and BMC Software, and is committed to setting the gold standard for technological innovation and dedicated customer service.

For more information visit www.tufin.com, or follow Tufin on:
Twitter at http://twitter.com/TufinTech
LinkedIn at http://www.linkedin.com/companies/tufin-technologies
Facebook at http://www.facebook.com/Tufintech
The Tufin Blog at http://www.tufin.com/blog
The Tufin Channel on YouTube at http://www.youtube.com/user/Tufintech

Source: Tufin Technologies

Data Security Feels the Heat

2010 has been the year when businesses and public bodies began to feel the heat as far as the issue of data security is concerned, according to Colin Tankard, Managing Director of data security firm, Digital Pathways.

Says Tankard, “All of a sudden this year the ICO – Information Commissioners Office - has come down hard on businesses and public bodies such as the NHS with the introduction of the levying of fines up to £500,000. High profile cases have included ACS Law, who lost data held on behalf of BSkyB, Yorkshire Building Society and Zurich Insurance PLC, where an unencrypted back up tape was lost. Not only were Zurich found to be in breach of the Data Protection Act by the ICO but they were fined some £2million by the FSA (Financial Services Association).

“This is the first time that loss of data has been given real credence and as a result public awareness of the issue has increased albeit still not quite in line with the US where, in 2010 alone, there have been 353 breaches, made public, of which 9,391,864 records were lost (source: Privacy Rights Clearing House).

“Data security is like insurance, businesses tend not to be concerned with it until they experience a high profile data loss or they are forced to look at it due to legislation. For example, the NHS – who have certainly ‘felt the heat’ this year over the loss of data records, are currently undergoing strict audit processes which include the management of data security.

“In general market conditions during 2010 have been slow. Ironically, we have had one of our most successful years as far as having clients choose our solutions for their business needs but Financial Directors and their boards continue to be cautious asking the question “when do we need to do this?” and deferring where possible.

“Going forward into 2011 we see the issue of data security remaining a high priority especially if compliance such as PCI for credit card protection or increased levels of fines from the ICO are further enforced. But see little change in terms of the releasing of finance to fund the appropriate solution.

“However, in terms of available technology data security solutions have significantly moved forward to the point now that they are totally transparent to any application or infrastructure. This means integration of strong data control is easily achieved, without the need to re-write applications or processes, which clearly saves considerable spend on re-developing business processes.

“One thing is for sure, the issue of data security is here to stay and no business or public body can pretend otherwise”.

Source: Joy Moon, PR Consultant, Digital Pathways

Insider threat behind Wikileaks cybersecurity saga

London, 29th November 2010 - The Wikileaks saga of the last few days, which climaxed with the release of  the first batch of more than 250,000 secret and confidential diplomatic cables sent by US embassies around the world published last night, are a classic example of what can happen when the evolving insider security threat is ignored says Imperva.

According to Amichai Shulman, CTO with the data security specialist, the saga - which took a curious twist on Sunday when Wikileaks' servers came under a distributed denial of service attack (http://bit.ly/gNhimg) - shows that organisations of all sizes seem to be preoccupied with defending against external attacks on their digital data assets, and are ignoring the internal security threat issue.

"Yes, there are hackers out there, but IT history has shown that the rogue employee is also a threat. The banking community is now starting to take action (http://bit.ly/enKRnq) to protect its assets, but organisations have a long way to go before they can truly tackle the very real risks that insider threats pose to their reputation and integrity," he said.

According to the Guardian, Bradley Manning, 22 – a soldier (an intelligence analyst), has admitted to stealing the information and in fact stated how easy it was to gain access to the files - http://bit.ly/fv4DCe

It was childishly easy, according to the published chatlog of a conversation that Manning had with a fellow-hacker. "I would come in with music on a CD-RW labelled with something like 'Lady Gaga' … erase the music … then write a compressed split file. No one suspected a thing ... [I] listened and lip-synched to Lady Gaga's Telephone while exfiltrating possibly the largest data spillage in American history." He said that he "had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months".

Shulman says that the source of the leak is believed to be the same individual responsible for the 75,000 document leak earlier this year - identified as a low ranking soldier who abused legitimate access to the information, he explained. This is the second time this has happened without any measures put into place to stop this happening. This illustrates the potential damage that insiders can cause in an organization

And, says the Imperva CTO, as with most incidents of this type, the most noticeable sign of problems should have been the easily observable intensive access to multiple documents by an authorised user. However, it is very difficult for organizations today to control access to files at an individual level. The rate with which sensitive information is generated in the form of files is ever growing, collaborative behavior is widely encouraged by management and employee turnover rates are high. Thus, while organizations must control and monitor individual access to specific files based on their contents, they must monitor employee behavior with respect to files in general.

"Any user retrieving large numbers of documents a day should raise an alert on a good business IT security system. This presumes, of course, that the organisation is not pre-occupied with conventional security and has ignored the abuse of data access privileges," he said.

"This embarrassing fiasco - which is certain to drag on for some time - shows that the internal threat is not necessarily about unauthorised access to data, but rather the abuse of legitimate access," he added.

"Organisations need to wake up to the complexities of internal threats, rather than simply relying on conventional IT security systems."

For more on the Wikileaks saga: http://bit.ly/fuPFiW

For more on Imperva: www.imperva.com

Source: Eskenzi PR

Stuxnet - The First Worm of Many for SCADA?

Dominic Storey, Technical Director, Sourcefire EMEA. August 2010

Stuxnet - What is it?

In early July, a new type of attack emerged that grabbed the attention of security managers across the world and also, for the first time, those managing industrial networks and the systems that comprise the national critical infrastructure. Their interest was gained because the new attack – called Stuxnet– targeted Siemens Supervisory Control and Data Acquisition (SCADA) systems.

There are quite a few noteworthy items about Stuxnet:

  • It exploits a Microsoft Windows vulnerability in the processing of shortcuts (e.g. desktop shortcut icons)

  • It bypasses user account restrictions, so running a limited access account offers no protection.

  • Although it’s observed entry point in the network so far has been via USB media, it’s infection vector also works on any network attached storage

  • A user does not have to run anything – simply opening an infected folder and viewing the file icons is enough to infect their machine

  • It targets Siemens Simatec WinCC and PCS 7 industrial process management software and attempts to access those systems databases by using known passwords

  • It is designed to transmit any information gathered to an external source

What seemed to surprise many people was that although Siemens responded with a fix, they advised their customers not to change the passwords of these systems. This advice makes sense when you consider what these systems do – control industrial processes in power stations, chemical plants, hospitals and so on. Their concern was that due to the complex distributed nature of these critical systems, a hastily implemented password change could cause system authentication failures and knock-on effects that could adversely affect process operation with potentially catastrophic consequences.

This highlights the problems plaguing organizations that run process control networks. Network connectivity has increased, but network security has not matched it. The proprietary devices that control, sense and manage these processes have been replaced by common off-the-shelf (COTS) components running Microsoft Windows and Linux and although these devices have their own internal levels of security, their communications protocols such as Modbus and DNP3 offer little protection against attack. In particular, security researchers are concerned about:

  • The lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks

  • The belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces

  • The belief that SCADA networks are secure because they are physically secured

  • The belief that SCADA networks are secure because they are disconnected from the Internet

Many of these beliefs are unfounded and with the advent of Stuxnet, managers are coming to the realisation that this is the case. Stuxnet raises the bar on sophistication and has been widely considered by the security community to be the first of many types of weaponised malware structured for industrial espionage

What actions can be taken to protect these networks? A defense in-depth strategy is recommended, with multiple layers of defence, such as encryption, firewalls, access control, intrusion detection, compliance enforcement and anti-virus protection. And of course, awareness is everything.

Increasing Awareness, Retrofitting Security

Sourcefire in particular can help managers understand what is happening on their network. Sourcefire provides three key products that are especially useful in a process control environment:

  • Sourcefire 3D sensor running Snort™ for intrusion detection. Snort sensors can be deployed passively with zero impact on the process control network, or in-line to provide intrusion prevention. Amongst IPS systems, Snort has a clear advantage in the fact that rules are transparent and open; indeed the Snort rules language has become the de-facto method of exchanging intrusion detection rules between systems. Many government national critical infrastructure bodies publish Snort rules that can be imported into Sourcefire 3D systems to provide protection. Sourcefire 3D IPS includes a set of SCADA rules to identify common problems and already has a rule protect against WinCC database access attempts using the default password.

  • Sourcefire 3D sensor running Real-time Network Awareness™. RNA provides network discovery with zero risk on process control networks by acquiring information about hosts by totally passive means. RNA can identify operating system and service vendor and versions for common equipment using built-in rules that can be easily extended to deal with proprietary process control hardware and software. Most importantly, the discovery process happens in real-time and can be correlated by the Defense Center to perform impact correlation and data reduction of events on the process control network.

  • Sourcefire Defense Center (DC). The DC is roughly equivalent to a combined HMI and PLC, in that it provides control over a distributed network of sensors, acquires data from them and interfaces that data to the human operators. The DC includes powerful analytics and a rules processor, enabling it to perform functions such as network behavioural analysis and process control device network compliance enforcement. The DC can also interface to many other devices in the network, from SNMP-based monitoring systems, directory servers, mail servers and other monitoring systems to switches, firewalls, routers and other network control systems providing managers ultimate flexibility in integrating network security with their process control network .

Sourcefire 3D has also been widely adopted by organizations who need to protect their corporate networks against sophisticated attacks and has fast become the de facto standard for large financial, pharmaceutical and government institutions across the world. If your organization falls into this camp, there is added benefit in standardizing on Sourcefire for your process control network – cost of ownership can be reduced and management can be simplified. And since the DC supports multi-tiered operation and role-based administration, process control engineers will no longer have to fight the IT department for access, or give up their autonomy in the environment they work in,

Summary

As process control networks become increasingly connected to the Internet, their exposure to a wider range of sophisticated attacks grows. Sourcefire has a powerful solution that can be applied to corporate and process control network alike. As Struxnet has shown, the problem is only going to get worse, but with Sourcefire 3D protection can be extended to encompass both networks.

Tufin warns IT departments to prepare for Christmas network overload

25 November 2010 - With more than 82 per cent of the adult population now having access to the Internet, Tufin Technologies is warning IT managers of the need to prepare for a potential network overload situation as workers use their company IT resources for everything from multimedia greetings to videoconferencing connections to distant colleagues.

And that, says Rueven Harrison, the security lifecycle management specialist's chief technology officer, is before we even begin to talk about those organisations that host Web sites in the online retail sector, or process payment card transactions.

"Even at the best of times, the Internet is well loaded with Web surfing and general email exchanges, but the current cold snap, combined with the impending holidays - and the fact that many people are taking their annual leave allocation before the year's end - means that workers are turning to the Internet to ratchet up their work efficiency," he said.

"Videoconferencing is definitely in vogue amongst many of the companies we encounter, but the real potential Internet killer is the number of Web site visitors - and the consequential IP traffic that these sessions generate," he added.

According to Harrison, the potential overload situation will crank up a few more stops this coming weekend as Thanksgiving starts in the US, and Black Friday-driven online shopping starts in earnest.

Amazon, he explained, has done its bit to get users online with its UK-based Black Friday lightening sales, which has resulted in peak-time page issues with the Amazon.co.uk site.

Whilst Amazon is using all manner of Internet load balancing to ensure that users of its site only have to wait a short while for a page to load at peak times, the fact that the mighty shopping giant's Web site is exhibiting page loading delays indicates the potential scale of the problem, he went on to say.

So what can IT managers do to stop their Web sites - and the company IT resources - from becoming seriously stretched?

The solution, the Tufin CTO says, lies in careful planning.

IT managers and their staff, he advises, need to start monitoring their systems. The firewall, he points out, is a good point for monitoring connection rates.

"If there are rules that you need to report on, make sure that audit logs are being generated. If you are not recording firewall performance stats, turn them on now - before you need them," he said.

"Secondly, start looking for anything that can cause an interruption of service due to resource exhaustion. What is your firewall connection table limit? If it was 25,000 last year, it probably should be higher this year," he added.

Harrison went on to say that managers need to look at what their peak IP traffic was last year and what the peak has been so far this year - you should, he says, plan for somewhere between a 20 and 200 per cent increase, depending on your business model.

You will also, he notes, want to ensure you don't hit your maximum number of IP connections at this time of year.

"Most security experts advise setting this number low enough to stop a denial-of-service, but at this time of year we are expecting sudden bursts of connections, so flexibility is the name of the game," he explained.

It's also, he said, worth printing out some hard copies of performance trends from last year. It is much easier if you already have them handy when you are trying to understand this year's trends.

"Also take a look at all of your disk drives. Logically, do you have plenty of space? Don't forget to physically walk to your firewalls and make sure there are no failed drives with the little red lights on. With firewalls tucked away in data centres, and drives in RAID, we all sometimes forget to look for faults on devices, like a failed drive in a RAID mirror set," he said.

"Finally, don't forget the cloud. If, like many organisations you are running a hybrid data centre configuration, ensure that your cloud service provider has sufficient spare and on-demand capacity to support a surge in peak time demand,"

Using these recommendations, Harrison says that IT managers can develop a good risk analysis strategy that they can update on a regular basis.

As your IT resource grows and diversifies, he adds, your IT security planning will then not get left behind. Then, if the worst really does happen, you'll be as prepared as possible.

Source: Eskenzi PR

Trusteer warns of growing security crisis for mobile networks

London, UK – 23rd November, 2010 – A report just published - which identifies mobile networks as having a number of key security vulnerabilities that must be addressed - has been welcomed by Secure Browsing Service specialist Trusteer.

Trusteer, whose secure browsing service is offered by a number of banks, says that the Heavy Reading report is quite correct in identifying a potential problem with the security of mobile networks, for the simple reason that the wireless nature of the cellular networks makes them more susceptible to criminal attack.

“If anything, our research suggests that the report understates the security risk that the last mile of the cellular-delivered mobile Internet now represents, as A5/1 – the main GSM encryption algorithm – was cracked in a practical attack late last year by Karsten Nohl (http://bbc.in/f8n4rP),” said Amit Klein, Trusteer’s chief technology officer. 

“Put simply, this means that, with sufficient equipment and CPU power, we believe that a cybercriminal can now mount a practical eavesdropping or Web browser injection attack on a cellular delivered Internet connection,” he added.

According to Klein, whilst a WiFi-based Internet connection can be said to be less secure than a desktop link, on the basis that the wireless signal can be intercepted and/or eavesdropped in some way, its range is relatively short before it hits the landline networks.

With the cellular mobile Internet, however, the signal can reach for several miles, and is therefore a lot more vulnerable to electronic trickery, he explained.

The Trusteer CTO went on to say that Heavy Reading's report reinforces his research team’s observations, since it adds the very real prospect of criminal tampering with the network infrastructure to the mix.

So far, he says, the industry has not seen any proven cases of network infrastructure tampering or Web browser injections, but the possibility grows stronger by the day, especially given the steady march of the mobile Internet.

With mobile dongles and MiFi units now becoming more and more popular - largely owing to their considerable flexibility and the fact that the technology also frees users from the `line rental tax' that almost also telcos impose on their broadband users – Klein says that more and more Web traffic is being carried the last mile by cellular means.

With the GSM Association having reported the number of high-speed mobile broadband connections have topped the 150 million mark around the world in the summer of last year (http://bit.ly/oaKPx), it can be seen that cellular infrastructure - because of its wireless nature - now poses an IT security risk that many users overlook.

This, says Klein, is what makes this report so timely, and reinforces previous warnings about the mobile Internet security threat that few experts have even considered as a possibility.

Add in the fact that mobile Internet connections are highly transient, with dynamic IP addresses that are used and re-used on a cyclic basis, and you begin to see the nature of the problem, he noted.

"Until the hardware vendors and networks address the issue, perhaps with the assistance of IT security software vendors as well, it's clear that mobile Internet connections need to be considered less safe than their landline equivalents," he said.

That isn't to say the problem isn't surmountable, as users of online financial services should employ any and all security measures available to them - such as installing in-browser security such as Trusteer Rapport - in addition to their existing IT security measures,” he added.

“Add in some serious commonsense when using mobile Internet connections, and your online session should be safe, despite the underlying insecurities in cellular encryption and the network infrastructures."

For more on the Heavy Reading report: http://bit.ly/cLudFi

For more on Trusteer: www.trusteer.com

Trusteer, the world’s leading provider of secure browsing services, helps secure computers against Man in the Middle, Man in the Browser, and Phishing attacks. Trusteer is currently used by more than 70 leading financial organizations and enterprises in North America and Europe, and by more than 15 million end users to protect their online banking, shopping and other communication against sophisticated malware attacks and fraud. HSBC, Santander, The Royal Bank of Scotland, SunTrust, Fifth Third, ING DIRECT, and Bank of Montreal are just a few of the banks using Trusteer’s technology. Trusteer's service for enterprises prevents malware from accessing enterprise network resources and sensitive information through SSL - VPN connections and unmanaged devices. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer. For more information about our products and services, please visit www.trusteer.com.

Source: Eskenzi PR Ltd.

Extra security needed as hackers repurpose ZeuS to target business bank accounts

London, 23rd November 2010 - A report on the Associated Press, which goes into some detail about a string of real-world bank account draining sessions by hackers, highlights the fact that hackers are repurposing the ZeuS trojan to target business bank account users.

And the reason for this diversification, says Idappcom, the vulnerability testing specialist, is that business bank accounts tend to have higher bank balances, as well as having several people – and therefore several sets of user credentials - to access the account online within a given business.

"Ever since ZeuS first appeared back in the summer of 2007, we have been tracking its steady progress, especially since the trojan horse was successfully modified in the spring of last year, when hackers discovered they could extend the malware's functionality through the use of extensible code and scripting," said Ray Bryant, Idappcom's CEO.

"And now, as the AP newswire report of Monday shows, a number of US firms are discovering - to their cost - that the malware is still very much alive and kicking, and has drained their bank accounts of several hundreds of thousands of dollars," he added.

According to the Idappcom CEO, organisations as diverse as Detroit-based Experi-Metal and the Catholic Diocese in Des Moines, Iowa, are reported to have lost $1.14 million between them.

The roll call of business banking horror doesn't end there, as the AP newswire notes that FBI has uncovered dozens of private and public sector organisations that have had their bank account contents siphoned off to so-called money mule bank accounts around the world.

These bank account mules, says Bryant, are often blissfully unaware that their accounts are being used for criminal purposes, and, on receipt of an email or text message from their `employer,' wire the bulk of the money onwards to the criminal's bank accounts, leaving them with their `commission.'

The FBI statistics are breath taking in terms of their diversity and the volume of money being hoovered up from business bank accounts, with 390 reported cases in the last two years, centering on attempted thefts of $220 million and actual losses of $70 million.

Bryant says that these cases - more than one every 48 hours - are just those that have been reported in the US and are almost certainly the tip of the iceberg in terms of business bank account losses.

"And as the AP newswire says, quite correctly, with the Automated Clearinghouse in the US processing an amazing 600 transactions per second, it's almost impossible for the US banking agencies to monitor every transaction for fraud," he said.

"The big question, however, is for how long the banks and insurance companies will continue to reimburse losses due to ZeuS trojan activity, as the losses involved are bound to have had a negative effect on business insurance rates these last two years," he added.

"Businesses, as well as consumers, need to be ultra-vigilant when accessing their bank accounts online, and take every security precaution possible."

For more on the FBI ZeuS-driven fraud revelations: http://wapo.st/aWkLIE

For more on Idappcom: www.idappcom.com

Source: Eskenzi PR

Most employees will steal company secrets if they are fired

Survey finds most employees will leave with company data

November 22nd 2010, London (UK): An Imperva survey of more than 1000 UK residents indicates that insider threats are mainly comprised of normal, mainstream employees. Most strikingly, the survey found that 70% of respondents had clear plans to take something with them upon actually leaving their job. The most popular data is intellectual property (27%) and customer records (17%).  Moreover, about half of respondents claimed to have personal ownership of the data - 59% in the case that they were about to change jobs, and 53% if they knew they were about to be dismissed.

This survey refutes the conventional wisdom that insiders are corporate spies or revenge-seeking employees,” explained Imperva CTO Amichai Shulman. “It seems most employees have no deliberate intention to cause the company any damage. Rather, this survey indicates that most individuals leaving their jobs suddenly believe that they had rightful ownership to that data just by virtue of their corporate tenure.”

Survey highlights include:

  • 70% of the respondents had clear plans to take something with them upon actually leaving. Most popular data being intellectual property (27%) and customer records (17%).  Ironically, 66% of respondents would not deliberately take out employer’s data upon rumours of dismissal.
  • 79% of the surveyed individuals responded that either their organization does not have, or is unaware of, any policy to remove collected data from employees’ laptops upon departure.
  • Most respondents (72%) have admitted to taking out corporate data. This data is evenly distributed between customer records, HR records and marketing material.
  • More than half of the respondents claimed to have personal ownership of the data - 59% in the case that they were about to change jobs, and 53% if they knew they were about to be dismissed. Others considered it helpful in their next role (35% when moving a workplace, 17% - under the knowledge of being terminated). The vast majority (85%) carry corporate data in their home computers or mobile devices. This data mostly consists of customer records (75%) and Intellectual Property (27%).

The survey shows that employees tend to extract information which is beyond their need to know and enterprises have practically no controls in place to prevent excessive privilege access:

  • 54% of the respondents have accessed data outside their explicit role permissions. Customer records consisted of 50% of individuals’ interest. While 54% accessed files outside of their normal business privilege.
  • 73% of survey takers replied that existing access control mechanisms around this data are very easy to bypass.

Surveyed were 1026 people in various business districts across London during November 2010.

Imperva is the global leader in data security. With more than 1,300 direct customers and 25,000 cloud customers, Imperva's customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft from hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, applications and file systems. For more information, visit www.imperva.com , follow us on Twitter or visit our blog.

Imperva and SecureSphere are registered trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.

Source: Eskenzi PR

Data Encryption Systems Wins ‘Encryption Solution of the Year’ at Computing Security Awards 2010

· DESlock+ nominated and voted for by the readers of Network Computing and Computing Security

Taunton, UK, 18th November 2010 – Data Encryption Systems Limited (DES), the UK-based leader in software copyright protection, data encryption, secure messaging and data storage solutions, today announced that its flagship product, DESlock+, was named ‘Encryption Solution of the Year’ at the Computing Security Awards 2010.

The presentation for the inaugural Computing Security Awards took place on 4th November. In total 23 awards were presented at the Hotel Russell in London's Russell Square. The winners in 20 of these categories were determined by nominations and votes cast by the readers of Network Computing and Computing Security. DESlock+ was nominated and selected for this prestigious award against stiff competition.  Other products in this particular award category included:

DES ​DESlock + ​​​ WINNER

Becrypt ​ Disk Protect ​​​ RUNNER UP

Check Point ​Pointsec Mobile Encryption
CipherOptics ​ CipherOptics ESG100
Cryptosoft ​ Enterprise Server for PGP
PGP ​ Whole Disk Encryption
Sophos ​ SafeGuard Private Disk
Winmagic ​ Securedoc

Commenting on the win, David Tomlinson, Managing Director, DES said: “We are extremely proud that our encryption product has been recognised at the Computing Security Awards.  Our strong ability to innovate, even in today’s tough climate has enabled us to stand head and shoulders above the competition and winning ‘Encryption Solution of the Year’ is a fantastic accolade that verifies our market-leading position in the data encryption market.

DESlock+ helps organisations to protect against all types of data breach by offering simple, yet extremely powerful, encryption of documents, folders, disks and removable storage media, and computer systems.  The solution is both Windows 7 compatible and FIPS 140-2 approved.  The United States Federal Government is required to only purchase cryptographic products which are validated to the FIPS 140-2 standard therefore this is a highly sought after accreditation.

David Bonner, Event Manager for the Computing Security Awards 2010 said: “I am delighted to see a British company coming out on top against some pretty heavyweight US software vendors.  Britain has talent and DES demonstrates the power of innovation through DESlock+.”

Nominations first opened at the end of June. In total, more than 5000 individuals cast votes making this one of the biggest surveys relating to security solutions ever carried out in the UK.  The organisers were delighted with the level of participation from readers and extremely impressed by all the winners.   

This accolade comes hot on the heels of a glowing five-star review on DESlock+ which appeared in the October edition of SC Magazine. The magazine awarded DESlock+ a five star review and in particular the product was recognised for its ease of use, features, documentation and support with the all around verdict pronouncing DESlock+ as a solid product.

To see the full list of Winners and Runners-up for the Computing Security Awards 2010 please visit http://www.computingsecurityawards.co.uk/.  If you would like to read the full review on DESlock+ please visit: http://www.scmagazineus.com/data-encryption-systems-deslock-business-desktop/review/3321/.  If you are interested in finding out more about DESlock+ please visit www.des.co.uk.

Since 1985, Data Encryption Systems has been the UK’s most successful manufacturer of software protection dongles, software copyright protection systems, and secure handset reprogramming accessories. Data Encryption Systems markets and supports products used by tens of thousands of businesses worldwide to protect applications, copyrighted materials, medical records, government files and other confidential and personal information. The company’s flagship product, DESlock+, has been awarded SC Magazine’s Best Buy for three successive years.

Source: C8 Consulting Ltd

This press release is presented without editing for your information only.

Credant Technologies say cloud-based crack of SHA-1 passwords is a taste of things to come

18th November 2010, Reports that a German hacker has successfully cracked a secure hashing algorithm (SHA-1) password using a pay-as-you-use cloud computing based parallel processing environment is very worrying, says Credant Technologies.

According to Chris Burchett, CTO and Co-Founder of the data security specialist, this is one of the first times that an SHA-1 encrypted password has been cracked using rentable cloud-based computation.

"It's worrying because, as Thomas Roth says, it's easy to start up a 100-node cracking cluster with just a few clicks, but if you extend the parallel processing environment by just a few factors, it becomes possible to crack passwords of most types in a relatively short timeframe," he said.

"Although renting processing time on a cloud resource like Amazon Web Services could get relatively expensive at this level, there is the added dimension of cybercriminals using stolen payment card credentials to fund their cloud cracking escapades, which means they will not be bothered about the cost involved," he added.

Burchett went on to say that the incident has parallels with other online password and hash cracking websites including the revelation of almost 12 months ago when security researcher Moxie Marlinspike revealed he had created an online WiFi password cracking service called, appropriately enough, WPAcracker.com.

At the time, some experts were calling Marlinspike’s service a cloud-based resource, but whilst the $17.00-a-time service can reportedly crack a WiFi password in around 20 minutes - a process that would take a dual-core PC around 120 hours - it is a highly specific cracking application with relatively finite processing power.

Using Amazon Web Services to crack a 160-bit SHA-1-hashed password, however, extends the hacker ballgame into a whole new cloud computing dimension, since it allows hackers to run custom cracking code that would normally take several months on a multi-core supercomputer - a platform that, of course, cybercriminals would not normally have access to, the Credant CTO explained.

Roth's exploit, says Burchett, is significant, as he claims to have cracked all the hashes from an SHA-1 hash with a password of between 1 and 6 characters in around 49 minutes - and at a cost of just over one pound.

"Up to now, we’ve been in the realm of  a more limited use crack sites, but the concern is that the practically limitless compute resources for relatively low cost available in the cloud can make attacks that previously were proof of concept an everyday reality.  You can be sure that cybercriminals will be passing reports of Roth’s exploits on to their black hat hackers and asking them to repeat the methodology in other applications," he said.

"It has to be remembered that SHA-1, although it is being phased out, still forms part of several widely-deployed security applications, including Secure Sockets Layer, Transport Layer Security and S/MIME protocols to mention but a few," he added.

"At the moment, we are talking about a limited application, but it doesn't take a genius to work out the ramifications of Mr Roth's research project."

For more on the SHA-1 cracking-by-cloud revelations: http://bit.ly/9TWnXF

For more on Credant Technologies: www.credant.com

Source: Eskenzi PR

This press release is presented without editing for your information only.

Incapsula Launches Cloud-based Web Application Firewall Service

New start-up, backed by Imperva, enhances website security and performance for small, medium-sized businesses

Tel Aviv, Israel, November 2010 - Incapsula announced on Nov 17, 2010 the debut of its cloud-based Web Application Firewall (WAF) service.  Incapsula was founded by Gur Shatz, Incapsula’s CEO and former VP of products at Imperva, and Marc Gaffan, Incapsula’s VP of Marketing and Business development, who was formerly the Director of Product Marketing at RSA.  Incapsula was spun out of Imperva to leverage Imperva’s award-winning WAF technology to meet the needs of small businesses worldwide.

Incapsula is a cloud-based, Web site security and performance service enabling businesses to:

· Safeguard and speedup their website,

· Avoid attacks and blacklisting,

· Improve website performance,

· Achieve PCI compliance.

“Incapsula addresses a key market need—a cost-effective, comprehensive, cloud-based security service for small to medium-sized companies,” explained Imperva CEO Shlomo Kramer.

Incapsula offers businesses an easy and affordable way to manage website security and performance in-house. For hosting and other service providers, Incapsula enables website security to be extended to an entire customer base and can serve as a platform to offer additional IT services.

“Adding a website to Incapsula is a simple five-minute process that does not require installation of hardware or software, just a simple DNS change,” explained Shatz.  “Incapsula inspects all incoming traffic to any subscriber’s website, keeping hackers out while accelerating outgoing traffic.  The Incapsula service is suitable for the SMB and cloud market, requiring minimal setup with monthly subscriptions starting at only $50 a month.”

“Incapsula is also designed to enable hosting companies, MSSPs and other service providers an effective platform for managing the security and performance of their customers’ websites,” explained Shatz.

Incapsula is currently in Beta and already protecting dozens of websites that are using the service.  Anyone can apply for the Beta at www.incapsula.com.  The Incapsula service is expected to be commercially available at the beginning of 2011.

About Incapsula

Incapsula is a cloud-based, service that makes websites safer, faster and more reliable. Incapsula provides websites of all sizes with capabilities that so far, have only been consumable by the very large internet websites.

The service offers an enterprise-grade, Web Application Firewall to safeguard your site from the latest threats, a network of servers to speedup the delivery of your site across the globe and an array of performance monitoring and analytics services to provide you with the best insight on how to improve the delivery of your website.

For hosting and other service providers, Incapsula enables these website delivery services to be extended to an entire customer base and can serve as a platform to offer additional IT services.

Incapsula was founded by a group of industry veterans with rich backgrounds in web application security, online safety and identity theft. The company's mission is to provide every website, regardless of its size, with enterprise-grade website security and availability.

Imperva is the global leader in data security. With more than 1,200 direct customers and 25,000 cloud customers, Imperva’s customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft from hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, applications and file systems.  For more information, visit www.imperva.com, follow us on Twitter or visit our blog.

Source: Eskenzi PR

This press release is presented without editing for your information only.

Account Management in Dell Remote Access Controllers Provided by Lieberman Software

London, November 15th, 2010) Lieberman Software Corporation, the Pioneers of Privileged Identity ManagementSM, today announced the immediate availability of a Dell ™ Systems Management ISV Certified solution to discover Dell Remote Access Controllers (DRACs) in PowerEdge ™ servers and control access to their user accounts. The solution builds upon the existing security of DRAC products and makes it easier for organizations to comply with government and industry regulations that require secured account passwords.

“Lieberman Software is the first member of the Dell PartnerDirect ISV Program to be certified for managing the privileged identities that control access to DRAC devices,” said Kevin Noreen, Senior Product Manager for Systems Management, Dell Enterprise Product Group.  “Dell PowerEdge server customers rely on DRAC devices for powerful, easy-to-use, remote management and configuration options that simplify IT management and enhance security.  Lieberman’s Enterprise Random Password Manager (ERPM) and Random Password Manager (RPM)  solutions underwent a rigorous certification process.  Now our mutual customers will benefit from these incremental security measures when managing privileged access to DRAC devices.”

Typical remote access devices are accessible by distinct network addresses and are often pre-configured with default credentials. Organizations that do not manage root account logins on these devices risk exposing access to unauthorized individuals and lack an audit trail reflecting access information.

Without an automated solution to control the privileged account passwords on remote access card, many administrators enroll each controller in the organization’s directory services – a time-consuming and complex process. Others attempt to track and change these logins manually or use a common, shared password among large groups of remote access controller devices.

The Lieberman Software solution enables organizations to maintain frequently changed, unique credentials for every DRAC on the network – credentials that are provided only on a need-to-know basis and changed after each use. Access to the credentials is granted through an audited web portal.

The Lieberman Software – Dell Remote Access Controller Integration

Effective immediately, Lieberman Software integrates its fully-functioning support for Dell Remote Access Controller (DRAC) devices in the company’s privileged identity management solutions Enterprise Random Password Manager (ERPM) and Random Password Manager (RPM). The integration is available at no additional charge to the ERPM and RPM licenses, allowing organizations to automatically discover, secure, store and securely recover DRAC login credentials on Dell PowerEdge servers throughout the enterprise. Lieberman Software products deploy quickly to alleviate the difficulties associated with manually updating the accounts on these devices, allowing organizations to bring their remote access controller into compliance with regulatory mandates for securing privileged accounts.

“Our strategy is to manage privileged identities from the iron to the application – in both physical and virtual environments,” said Philip Lieberman, president and CEO of Lieberman Software. “This announcement demonstrates our expertise in controlling privileged identities by managing a fundamental component of virtually all cloud host environments, regardless of operating system. This capability is also critical to non-cloud datacenters, including large enterprises that rely on DRAC devices and other IPMI-compliant lights-out management cards.”


More information is available at http://www.liebsoft.com/drac_integration/.

Lieberman Software provides privileged identity management and security management solutions that secure the multi-platform enterprise. By automating time-intensive IT administration tasks, Lieberman Software increases control over the computing infrastructure, reduces security vulnerabilities, improves productivity, and helps ensure regulatory compliance. As Pioneers of Privileged Identity ManagementSM Lieberman Software developed the first software in the marketplace to address this need. The company is headquartered in Los Angeles, CA with a support office in Austin, TX. For more information, see www.liebsoft.com.

This press release is presented without editing for your information only. The ICT REVIEW does not recommend, approve or endorse the products and/or services offered, as we have no direct knowledge if it. You should use your own judgment and evaluate products and services carefully before deciding to purchase.

Government Hacking and Smartphone attacks Lead the Security Threats for 2011

Redwood Shores, Calif., 15th November 2010 - Imperva, the global leader in data security, have announced their predictions for the top ten security trends for 2011 which have been compiled by Imperva’s Application Defense Center (ADC), led by Imperva’s CTO Amichai Shulman, to help IT security professionals defend their organization against the next onslaught of cyber security threats.

A detailed white paper is available here

Imperva predicts that the top ten security trends for 2011 will be:

· Trend #1:  Nation-sponsored hacking, like the Stuxnet worm, will build on concepts and techniques from the commercial hacker industry to create more powerful Advanced Persistent Threats (APT).

· Trend #2:  In this upcoming year, we expect to see growing awareness of security incidents due to insiders. Attention will grow as a consequence of an increased flow of incident reports where data theft and security breaches are tied to employees and other insiders. The cause of this trend will be the emphasis put on new regulations covering the act of notification and disclosure (rather on the actual protection of data).

· Trend #3:  Man in the Browser Attacks Will Increase - growth in the role played by “Man-in-the-Browser” (MitB) attacks in cyber-criminal activity.

· Trend #4: Social Network Security will improve - prominent social networks, and tools, placing more efforts into security over privacy.

· Trend #5: File Security Takes Center Stage - greater number of data breaches where compromised data is in the form of files rather than database records.

· Trend #6: Mobile Devices Compromise Data Security - proliferation of sophisticated mobile devices (SmartPhones, Tablets, etc.) is going to have a substantial effect on application and data security.

· Trend #7: Data Security Goes to the Cloud - increase in application security offerings in the cloud throughout 2011 and predict that we will see some early data security in the cloud offerings.

· Trend #8:  Cyber Security Becomes a Business Process - CISOs and security professionals will need to become business process experts to better protect data as it flows through enterprise systems.

· Trend #9: Hackers Feeling the Heat - the hacking industry will consolidate as amateurs shut down and consolidation among larger, organized groups takes place.

· Trend #10:  Convergence of data security and privacy regulation worldwide.   As more and more governments implement data security and privacy laws, a convergence will take place worldwide.

Amichai Shulman, CTO, Imperva observes, “I anticipate that the threat landscape will evolve in many directions, making data security more challenging than ever. The biggest potential impact will be caused by the proliferation of sophisticated mobile devices interacting with corporate networks. Additionally, hacker activity will consolidate into a relatively small number of stronger more powerful and resourceful criminal organizations.  One of the key attacks I expect to see a significant rise in are so-called man-in-the-browser attacks as criminals target the weakest link – end users.  Finally, insider threats will become more prominent as regulations force organizations to become more transparent.”

The trends have been detailed below:

Trend #1:  Nation-sponsored Hacking:  When APT Meets Industrialization

Nation-sponsored hacking specifically-targeted cyber-attacks will incorporate concepts and techniques from the commercial hacker industry. These campaigns will contain a different malware payload than the traditional attacks conducted for monetary gain. However, these attacks will use similar techniques. These Advanced Persistent Attacks (APT) attacks will borrow techniques, such as automation and viral distribution, making them all the more powerful and potentially more successful. An example of such an attack is Stuxnet, which was not searching for data to monetize, rather it was focused on gaining control of crucial infrastructure.

Both classes of attack (hacker industry and APT) are going to use some of the same techniques so some security controls are applicable to both. On the positive side, given you’re covered against the cyber-mafia you should have some of the controls to be protected from certain APT attacks. As APT is persistent, if a certain attack does not succeed, another one will come into play. The traditional security controls do not deter these relentless, state-sponsored hacker organizations. For the enterprise as well as government, this means increasing monitoring of traffic and setting security controls across all organization layers.

Trend #2:  The Insider Threat – it’s much more, much more, than you had imagined

In this upcoming year, we expect to see a growing awareness to security incidents of an “insider job” nature. Attention will grow as a consequence of an increased flow of incident reports where data theft and security breaches are tied to employees and other insiders. The cause of this trend will be the emphasis put on new regulations covering the act of notification and disclosure (rather on the actual protection of data).

To deter insider threats, organizations should therefore:

· Enforce access controls such that access is based only a business need-to-know level. This includes eliminating excessive privileges.

· Provide the proper access auditing tools to data centers. These auditing tools should monitor who accesses what data.

Trend #3:  Man in the Browser Attacks Will Man Up

Man in the Browser (MitB) attack sophistication is going to increase, as well as moving forward to more types of online applications. As a consequence, more online service providers are going to include this in their list of priorities for 2011, shifting the responsibility for mitigating the risk from the consumers to the service providers.

While avoiding infection by Proxy Trojans is presumably the responsibility of consumers, MitB attacks are quickly becoming a concern of online service providers. The actual rate of infection and the proliferation of the many types of MitB malware suggest that providers must be able to serve (and protect) customers who might be infected with one type of malware or another. Just as the evolution of vehicle safety drove manufacturers to include device such as ABS, Air Bags and ESP, rather than rely on us to drive carefully, so will online service providers need to invest in mechanisms that allow them to conduct business with allegedly infected consumers. Among the technologies that we foresee as helpful are strong device identification, client profiling, fast security code evolution, session flow tracking and site-to-client authentication.

Trend #4: Misanthropes and Anti-Socials: Privacy vs. Security in Social Networks

In 2011, we will see prominent social networks, and tools, placing more efforts into security over privacy. This is not the result of resolved privacy issues, but rather an understanding of the real threats to the existence and proliferation of social networks.

There are two key factors at stake: security and trust. While privacy concerns the ability to keep personal information hidden from other application users, security controls the way in which people use the information of others. Trust impacts our ability to make decisions based on the information we receive through social networks.

In today’s social networking platform, both security and trust are in danger. Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities are quickly translating into massive worm out brakes.

Next year, we expect social platforms to invest more resources in improving the security posture of the platform. These measures will provide improved protection against application layer attacks, stronger authentication and account control features, as well as better malware detection systems.

Trend #5: File Security Takes Center Stage

In 2011, we expect to see a growing number of data breaches where compromised data is in the form of files rather than database records. Consequently, organizations will rush to look for the proper tools to control access to repositories of unstructured data, mainly file servers. We estimate that the number of compromised files, and the number of organizations that suffer a massive file related security breach, will rise. Even PCI 2.0 has recognized the security aspect of storing data in different locations.

With today’s available tools, controlling access and usage of these files can be an extremely daunting task. Since each file is an autonomous entity, with respect to content ownership and access control (contrary to a database record), maintaining control of who can access a file is almost impossible as is keeping track of access to those files that contain sensitive information. The inability to maintain control may result in excessive access privileges and an inadequate audit trail of access to sensitive information.

Trend #6: Data Security Goes to the Cloud

We expect to see more application security offerings in the cloud throughout 2011, and predict some early data security in the cloud offerings. Offerings will need to respond to private and public clouds that are either self-serviced or managed as a service. This trend is a late response to the move of many applications and data stores to cloud technologies, and the industrialization of hacking, which dragged many smaller online businesses into the threat zone.

Taking together all the types of cloud forms (private and public, SaaS, PaaS and IaaS) we can see a set of challenges for both providers and consumers. These can be summarized as following:

  • Maintaining bulletproof partitions between datasets of different customers
  • Providing different levels of data security to applications sharing the same logical or physical platforms
  • Protecting customer data from the prying eyes of cloud administrators
  • Providing solutions that operate over a specialized infrastructure (VM, Amazon AMI)
  • Managing application and data security for a large number of applications inside the cloud

We expect that in 2011 good technical solutions for application security in the cloud will be available and gain traction, while data security solutions (protecting data stores in the cloud) will lag behind.

Trend #7: Mobile Devices Compromise Data Security

The proliferation of sophisticated mobile devices (SmartPhones, Tablets, etc.) is going to have a substantial effect on application and data security in the coming years. In particular, we will see organizations struggle to accommodate the increase in number and variety of these devices, while maintaining traditional data and application security practices.

The past couple of years have witnessed a dramatic surge in the number of sophisticated mobile devices being used as access points to online services and enterprise networks. Add to the mix a growing variety of applications that are a gateway to enterprise systems, including CRM, ERP, and document management. While we are used to concerning ourselves with lost or stolen laptops, it turns out that missing mobile devices may be just as big of a pain point.

As mobile devices become mainstream, online service providers will create a special version of the applications to match each device platform. We anticipate this process, will cause older vulnerabilities to surface once again. In particular, mistakes around identification and authentication. Thus, the applications will become vulnerable to mistakenly trusting attributes of the data stream that can be forged by an attacker.

Furthermore,some assumptions regarding “strong” multifactor authentication schemes are becoming obsolete. Take, for example, applications that use a one-time password (OTP) for validation of sensitive transactions being defeated by a Trojan that is able to access the OTP delivered through SMS.

Mobile malware will proliferate as malicious code becomes available for these platforms (e.g. Zitmo) and the complex applications (not to mention the usual human flaws) make it easy, if not easier, to infect a mobile device with malware, as with any standard desktop platform.

We expect exponential growth in the number of incidents related to mobile devices in the next few years. Organizations need to start planning to secure the devices and their interaction with the enterprise networks. Tools and procedures need to be put into place, such as anti-malware, encryption, and authentication. Special monitoring requirements should be set for access of these devices to enterprise resources (databases, files, intranets). On the other hand, application providers need to get their act together with respect to serving these devices, including vulnerability mitigation, reevaluation of trust, and incorporation of new authentication/authorization channels.

Trend #8: Hackers Feeling the Heat

In 2011, the cyber crime landscape will change in two ways. First, more and more smaller cyber-gangs will go out of business.  Why?  Security researchers will continue to look into the hacker operations and will unearth the smaller or less diligent criminals.  In general, the hacker industry will react by investing more resources in their attack techniques and detection evasion. The hackers that cannot make this investment will go out of business. Other cyber-criminal organizations will “buy-out” other groups or merge their operations with other groups. This will lead to the second change.  The current powerful cyber-crime organizations will consolidate their power and grow (after all, antitrust laws don’t apply to them). 

As the year 2010 draws to a close, it provides us with all the more examples of this accelerating trend:

· At the end of September, Zeus botnet ring leaders and operatives were arrested. This was the culmination of a year-long investigation that included the infiltration of the C&C servers by security researchers. Similarly, the master mind of the Bredolab botnet was arrested three weeks later.

· During mid October, the Avalanche phishing group completed their 2 year-long move from phishing techniques to distributing MitB Trojans.

· The end of October has seen the Iranian Cyber-Army (ICA), infamously known for engaging politically-motivated DDoS attacks, advertising their bots for rent.

  • Also, towards the end of October, the bot code developers of the ever-competing spyEye and Zeus bots were showing signs of an upcoming merger.

Trend #9:   Cyber Security Becomes a Business Process

Intel buys McAfee.  Now rumors swirl about IBM and Fortinet. The consolidation taking place with security vendors implies, as Intel CEO Paul Otellini put it, “We have concluded that security has become the third pillar of computing.”  Vendors are seeing a big shift in security, what about enterprises?

Today, cyber security can't be separated from business operations. For this reason, how security teams must view and approach their roles has changed dramatically.  For example, in the past, a CIO’s role was laptop distribution.  Today, CIOs build supply chains.  In the past, CISOs distributed anti-virus and set up firewalls.  Today, they must know where data resides, where it moves and how to protect it, which requires a serious, comprehensive data security practice.  This means security teams need to become business process experts to keep the bad guys disarmed while keeping the good guys productive.

Trend #10:  Convergence of Data Security and Privacy Regulation Worldwide

As newspapers features more companies that violate data privacy on its front page and security breaches appear daily, government regulators will continue to tighten the legal screws on enterprises. 

Continuing data breaches force more and more governments—and even private industries—to consider more in-depth security regulations to protect citizens. But another interesting trend seems to be flying under the radar:  as enterprises contend with additional data laws, a consolidation will take place across borders. Recently, for instance, the FTC reached out to the EU to begin the process of investigating where both sides of the Atlantic can unify data security laws.  Companies will comply, but will find the task of complying with multiple mandates across borders very difficult.  Governments will respond—in fact already are—to define a common framework to make life easier for themselves and for enterprises housing data. 

Imperva is the global leader in data security. With more than 1,200 direct customers and 25,000 cloud customers, Imperva’s customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft from hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, applications and file systems.  For more information, visit www.imperva.com, follow us on Twitter or visit our blog.

Source: Eskenzi PR

According to Trusteer 2FA powerless against Real time phishing attacks

Trusteer’s research group has found that 30% of attacks against websites that use two-factor authentication are now utilizing real-time man-in-the-middle techniques to bypass this trusted security mechanism. These findings are based on monitoring of thousands of Phishing attacks.

According to Mickey Boodaei, Trusteer's CEO, in a real time phishing attack the user enters details onto a phishing website which captures the banking credentials and authentication information; the stolen credentials are then immediately used to open a session on the real bank website to commit a fraud.  Authentication information typically captured and used by criminals in real time phishing include: One Time Passwords (OTP) ; tokens; SMS authentication; Card and Readers, rendering them ineffective against this type of attack.

Most phishing attacks to date have been completely static. In traditional phishing attacks the victim reaches a phishing website, submits login credentials, and these credentials are stored for later use by e-criminals. The introduction of strong two-factor authentication systems, especially one time passwords, rendered these attacks useless as fraudsters could not use static stolen credentials to commit fraud. With strong two factor authentication the user is required to provide a OTP as part of the login process. There are many OTP approaches, some of them are based on token devices that users carry along with them, others are sent to the user's phone as an SMS text or voice call each time the user tries to log on. OTP’s are limited in time. Even if the fraudsters managed to capture OTP data there is only a short period of time in which this data can be used. For some time, websites that used strong two-factor authentication reported a significant drop in phishing attacks. The e-criminals, however, have not given up.

Man-in-the-Middle Phishing

“Recently Trusteer have noticed an increase, on 3 different continents, of a type of attack called man-in-the-middle phishing or, real-time phishing. This tactic allows fraudsters to completely bypass two-factor authentication. The concept is not a new one and is well known in the security world; however, up until now, we haven't seen too many attacks like this. The recent escalation of websites now experiencing this type of attack is a cause for immediate concern,” said Boodaei.

In a man-in-the-middle attack the phishing website is connected, in real-time, to the bank website. The credentials that the user submits to the phishing site, including OTPs, are stolen and used immediately by the fraudsters to initiate a fraudulent session with the bank website. It doesn't matter if the website is using a dedicated OTP token, SMS authentication, Card and Reader, or any other type of two-factor authentication.

At first glance, real-time phishing seems just like any other phishing attack.  On closer examination of the malicious website, however,  one can determine that it is, in fact, connected in real-time to the bank. This enables  any information submitted to the fake web page to be immediately posted to the bank website.

Many organizations that used strong two-factor authentication were dismissive of phishing attacks as they assumed that they were incapable of bypassing their security controls. This is no longer the case. Using phishing kits with real-time capabilities fraudsters have improved their operations to conduct fraud in real-time.

“With real-time phishing, OTPs are becoming useless. There is no update or improvement to OTP that can defeat real time phishing. The best form of defence is to implement dynamic layers of security, including  browsing security, that can adapt to and block new threats,” said Boodaei. 

Source: Eskenzi PR Ltd.

Idappcom warns `pay-for-bugs' approach by ITsec vendors sends out the wrong message

London, November 2010 - Reports that Barracuda Networks is offering in excess of $3,000 for details of serious bugs in its IT security products is the latest stage in a worrying new trend, says vulnerability and testing security specialist Idappcom.

Anthony Haywood, Idappcom’s  CTO, says that even though Barracuda is billing the bug bounty scheme as in the best interests of customer, there is a significant danger that it will attract developers into researching the vendor's products and then offering them to the highest bidder.

"And, of course, if the bug is a really serious one that cybercriminals can exploit to generate fraudulent revenue, there is a significant danger of the exploit information falling into the dark ecosystem that black hat hackers - as well as cybercriminals - now inhabit," he said.

"Whilst even organisations like Google and Mozilla offer juicy sums of money for bugs in their software, you are going to get other vendors following suit. But just because it is becoming the norm for the IT industry, does not make it in the long-term interests of our market sector," he added.

The Idappcom CTO went on to say that the bug bounty schemes offered by a growing number of IT players has parallels in the `litigate for free' industry that has sprung up on both side of the Atlantic's legal industry over the last decade or so.

The law firms, he says, argue that their litigate-for-free service is really in the best interests of the consumer, but the problem is that a while new industry has been created, that has ended up pushing insurance premiums up for most businesses.

Someone, somewhere, has to pay for these types of services, and, Haywood observes, the same conclusions apply to the bug bounty programs offered by IT vendors.

The irony of the situation, he explained, is that, as well as paying indirectly for the bug bounty schemes, end users of IT security systems, software and services also end up `paying' as the tide of malware and other electronic mayhem rises as a result.

"This is a cause and effect situation. No one really wins in the longer term from bug bounty programs. And that's why we say that they are not in the real interests of our industry," said Haywood.

"In the short term they make a good story - and perhaps even a good event like CanSecWest's Pwn2Own cracking contest in North America - but the bottom line is that it's not in our industry's best interests to offer such large sums of money. For that reason we give a definite thumbs down to such practices," he added.

For more the latest bug bounty scheme: http://bit.ly/b6wIiF

For more on Idappcom: www.idappcom.com

TUFIN TECHNOLOGIES WINS the PRESTIGIOUS 2010 Computing Security Award for ‘Best bench tested solution of the Year’

Network Computing and Computing Security Magazine Editors Select Tufin’s SecureChange Workflow as the Top Product Reviewed in 2010

London, –November 11, 2010 –Tufin Technologies, the market-leading provider of Security Lifecycle Management Solutions, today announced that it won the Computing Security Awards for ‘Best Bench Tested Solution of the Year.’   Presented by United Kingdom’s most respected IT security magazines, Network Computing and Computing Security, the Computing Security Awards were launched to honor the products and services that have made a positive contribution to making organizations more secure.  

Unlike all the other categories, determined by anonymous voting via the Computing Security Awards website, the ‘Best Bench Tested Solution of the Year was selected by the magazines’ editorial staff, out of the group of solutions that underwent rigorous product testing by Network Computing reviewers over the course of year.  

The Network Computing review of Tufin SecureChange Workflow, which appeared in July 2010, stated: “Tufin is an undeniable specialist in network security; its SecureTrack product offers sophisticated firewall policy management and configuration auditing tools. SecureChange Workflow extends this expertise to provide a complete solution that automates and manages the change request process from start to finish… Tufin's SecureChange Workflow adds a new dimension to network security.”

“This award is significant for us because Tufin’s vision for Security Lifecycle Management is incomplete without market acceptance and adoption of SecureChange Workflow,” said Shaul Efraim, vice president of Products, Marketing and Business Development, Tufin Technologies.   “We were thrilled when we first saw the review, but receiving top honors for its technical merits from a well respected publication is incredibly fulfilling and validating for us - we couldn’t be more excited!”

Tufin has provided its 600 customers with the ability to automate critical but highly error prone, manual network security processes, which in turn has enabled them to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risks. Tufin’s products slash the time and cost of managing these processes by more than half – delivering a compelling value proposition in a fast-growing industry. 

This prestigious honor is the latest in a series of accolades and honors Tufin has received throughout 2010.   In October 2010, Deloitte Israel ranked Tufin as the second fastest growing technology company in Israel, based on its phenomenal revenue growth over the past five years.  In July it won a prestigious Stevie Award - “Innovator of the Year,” from the International Business Association, and in June it received a 5-star review (top rating) in SC Magazine of Tufin SecureTrack, its flagship firewall operations solution and a standout review in Network Computing magazine of its automated change management solution, SecureChange Workflow which resulted in Tufin winning this award.  Earlier in the year, it received an honorable mention on StartupBusiness.com’s list of Hot 100 Startups and being named a Red Herring EMEA “Hot 100” finalist. 

Tufin™ is the leading provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. Tufin’s award-winning products SecureTrack™ and SecureChange™ Workflow help security operations teams to manage change and perform reliable audits while dramatically reducing manual, repetitive tasks through automation. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 600 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. Tufin partners with leading vendors including Check Point, Cisco, Juniper Networks, Fortinet, F5, Blue Coat, McAfee and BMC Software, and is committed to setting the gold standard for technological innovation and dedicated customer service.

For more information visit www.tufin.com, or follow Tufin on:

· Twitter at http://twitter.com/TufinTech

· LinkedIn at http://www.linkedin.com/companies/tufin-technologies

· Facebook at http://www.facebook.com/Tufintech

· The Tufin Blog at http://www.tufin.com/blog

· The Tufin Channel on YouTube at http://www.youtube.com/user/Tufintech

Source: Eskenzi PR

ISACA Survey: Employees Will Spend Six Hours Shopping Online at Work and Take Bigger Risks This Holiday Season

  • Survey features US and UK employees' online holiday shopping plans
  • Additional results available at www.isaca.org/online-shopping-risks  

London, UK  (9th November 2010)—Employees plan to spend less time shopping online from a work-supplied computer this holiday season than they did a year ago, but more of them are engaging in risky behavior, according to ISACA’s annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey”, which includes responses from 365 workers in the UK and 638 workers in the US.

Employees are expecting to spend an average of 6 hours shopping from a work computer or mobile device, with a quarter planning to spend 9 hours or more (20% USA and 33% UK). But, there is an increase this year in the number of employees who take risky actions online, such as clicking on an e-mail link or providing their work e-mail address when shopping online, and 45% report accessing social network sites from their work-supplied computer or mobile device (42% USA and 49% UK).

“Employees who shop online not only reduce productivity—especially in late November to mid December, when 71% in the US and 65% in the UK make their purchases—but also open the door to social engineering and phishing attacks, malware, and information breaches that can cost companies thousands per employee to correct, millions in compromised corporate data, and severe damage to their reputation,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, advisor with ISACA and president of IP Architects, LLC.

Shopping on Company-issued Mobile Devices

This year’s survey also found that almost half (47% in the US and 49% in the UK) of those who will be shopping online with company devices will do so using an employer-issued portable device, such as a notebook computer, tablet or smart phone. This increases a company’s security risk because these devices are often used on wireless networks outside of a protected corporate network. They also are more easily lost or stolen, and contain corporate data that are typically not encrypted.

“The number of portable computers and mobile devices in the workplace is only going to increase, so companies need to create a realistic security policy that lets employees stay mobile without compromising the company’s intellectual property. The IT mantra should be ‘embrace and educate’ to balance productivity and security,” said Mark Lobel, CISA, CISM, CISSP, mobile security project leader with ISACA and a principal at PricewaterhouseCoopers.

Security Not a Major Concern, Especially Among Digital Natives

Employees say the top three reasons for shopping at work are that it is a convenient use of lunch/break time (38% in the US and 25% in the UK), they are working long hours and don’t have time to shop from home (17% in the US and 26% in the UK) and they are bored at work (11% in the US and 5% in the UK). Security is not a major worry for survey participants, with only 3% in both the US and UK citing “better security” on their work computer as a reason for shopping online using a work computer, and just under two-thirds reporting that they do not use secure browsing technology on work-supplied devices. Forty-one percent in the US and 50% in the UK assume that their IT department keeps them up to date on security patches.

This attitude is especially common among digital natives, the generation that has grown up with the Internet. Young adults (ages 18-34) in the survey are less likely to use secure browsing technology. They also are the most likely to shop online at work and have the highest laptop use among all age groups.

“Digital natives are comfortable with blurring the lines between work and play, which poses new and interesting management challenges for their employers,” noted Robert Stroud, CGEIT, international vice president of ISACA and service management and governance evangelist at CA Technologies. “This generation is happy to use their own tablet computer at work or a work-supplied smart phone for shopping or updating Facebook, so they need a new kind of IT security policy—one that balances access and control.”

Shopping on the Job Costs UK Companies UK £3,000 or More per Employee

A separate global survey of 834 business and information technology (IT) professionals who are members of ISACA, conducted during the same time period, shows that that a third of European correspondents believe their organization loses £3,000 or more per employee as a result of an employee shopping online during work hours in November and December.

For mobile devices, an overwhelming majority (68%) ranked the risk of using a mobile shopping application on a work-supplied device as high or moderate. Despite that, 51% allow employees to use work-supplied mobile devices for personal use and 37% let employees use their own mobile devices for work.

For more information on managing risky online behaviors in the workplace, download ISACA’s new free white paper, E-Commerce and Consumer Retailing: Risks and Benefits, at http://www.isaca.org/online-shopping-risks.

ISACA’s Tips for Safe Shopping From Work Computers or Mobile Devices

For employees/online shoppers:

  • Do not click on an e-mail or web link that is from an unfamiliar sender or looks too good to be true.
  • Be very careful with the company information on your notebook, tablet or smart phone (for example, use a privacy screen shield on mobile devices).
  • Password-protect your mobile device and its memory card.
  • Make sure that the security tools and processes protecting your work-supplied mobile devices are kept up to date. If unsure, ask IT.

For the IT department:

  • Team up with human resources to adopt an “embrace and educate” approach. Promote awareness of the security policy.
  • Encrypt data on devices.
  • Use secure browsing technology.
  • Take advantage of industry-leading practices and governance frameworks such as the Business Model for Information Security (BMIS).

About the ISACA Shopping on the Job Survey

The third annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety survey is based on online polling conducted between 27 September and 10 October 2010 of 2,853 US consumers by M/A/R/C Research, with a margin of error of 3.9 percent at the 95 percent confidence level. The UK edition was conducted by Eskenzi PR and based on a survey of 365 consumers. A separate, but related, online survey was conducted by ISACA between 27 September and 4 October 2010  among 3,307 ISACA members in North America, Central/South America, Europe, Asia and Oceania. European findings are based on responses from 834 ISACA members. The study is designed to capture insights about online holiday shopping using work-supplied computers and devices, and employee compliance with online shopping policies in the workplace.

With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter: http://twitter.com/ISACANews

Source: Eskenzi PR