Origin Storage says Canadian health data theft highlights case for multi-layered drive security

Basingstoke, 18th March 2011 - Reports from Canada about the theft of a hospital hard drive containing photos and videos of patients shows how easy it is for data drives to go missing in public areas, says Origin Storage.

And, says Andy Cordial, the MD of the storage systems specialist, the drive theft incident at Misercordia Hospital in Edmonton, Alberta, shows that - no matter what security policies an organisation has in place surrounding data security - hard-pressed staff will often take the easy option and ignore procedure.

"So what is the solution? Clearly security policies surrounding the security of patient data were in place at this hospital, but they just weren't followed, so the answer  has be to introduce multiple layers of security, which staff simply cannot circumvent, even if they want to," he said.

"Our own DataLocker range of PIN-protected portable hard drives (http://bit.ly/2vb6y9) is a good example of a multi-layered security system. Users can still have the benefit of AES encryption on the drive for security, but as an added measure, users must also know the passphrase of the security unit, without which they cannot access the data," he added.

According to Cordial, had the Edmonton hospital used such a device even if the thief walked off with the drive, the unit would have locked automatically, meaning that access to the data would have been prevented.

Using this approach to data security, says the Origin Storage MD, is an ideal way of bolstering the existing data security defences in an organisation, in situations where existing IT security policies cannot be fully applied.

Origin's observations amongst its many customers, he says, is that data needs protecting whether it is at rest or in transit and, whilst encryption offers an excellent form of protection, adding extra layers of security in portable or back-up situations makes a lot of sense.

"Had this incident happened in the UK, the Information Commissioners Office would have been on to the health body concerned very quickly indeed, and at the very least, publicly secured a written guarantee from managers that a change of security procedures – to prevent a recurrence  - would take place,” he said.

“That means that management heads will roll if an infringement of the Data Protection Act occurred again. This sort of incident - and the consequential publicity plus investigations that result - has a curious habit of significantly grabbing managerial attention," he added.

"Using multi-layered technology can not only avoid a data loss for whatever reason, it can also avoid dragging your organisation's reputation through the mud, as has clearly happened with this hospital."

For more on Origin Storage: www.originstorage.com

For more on Edmonton hospital patient data disk theft: http://bit.ly/fNb5IX

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Venafi survey reveals enterprises plagued by epidemic of stolen and lost digital certificates

78% of organisations have experienced downtime due to mismanaged encryption this year

LondonMarch 16, 2011Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, today announced the shocking findings of its 2011 Venafi Encryption Key and Digital Certificate Management Report. The report reveals that organisations are deploying increasing numbers of digital certificates and encryption technologies, but that these security assets are also becoming lost, stolen and unaccounted for in epidemic proportions. Ironically, digital certificates and encryption keys are critical components of all information security programs, but they become dangerous liabilities when they go missing and find their way into the wrong hands.

Jeff Hudson, CEO of Vanafi said: “It is well documented that digital certificates played a key role in the Stuxnet attack that destroyed multiple centrifuges in an Iranian nuclear facility, and it is widely accepted that lost encryption keys can provide malicious insiders access to valuable corporate information revealed on high–profile whistle–blower sites such as WikiLeaks. Venafi compiled results from market and analyst report research, from a 471–respondent survey that included managers up to C–level executives from enterprise–class organizations within multiple industries, and from prior market surveys. The findings are shocking.”

Respondents surveyed reported the following:

  • 51 percent stated they had experienced either stolen or unaccounted-for digital certificates, or that they were uncertain if their organisations had lost, stolen or unaccounted–for digital certificates in general.
  • 54 percent stated they had experienced either stolen or unaccounted for encryption keys, or that they were uncertain if their organisations had lost, stolen or unaccounted for encryption keys in general.

Exacerbating the problem is the volume and diversity of encryption technologies and certificate authorities (CAs) organisations must deal with on a daily basis. The number of encryption assets in their inventories grows regularly, and scattered individuals and teams frequently manage them. According to the survey findings:

  • 46 percent of organisations are managing at least 1,000 digital encryption certificates; 20 percent are managing more than 10,000.
  • 83 percent of organisations are managing technologies from at least two different CAs; 18 percent are dealing with more than five.
  • 88 percent of organisations have multiple administrators managing encryption keys; 22 percent have more than 10.
  • 42 percent of organisations manage encryption technologies from at least four vendors; 8 percent are dealing with more than 10.

Fifty–nine percent of the respondents surveyed worked in organisations with more than 5,000 employees. Respondents' organisations spanned a wide range of industries, including high tech, telecommunications, banking/financial services, energy/oil and gas, government, aerospace, manufacturing and retail. Among the respondents was one of the world's largest food distributors and consumer retailers. To access the complete report, visit: www.venafi.com/market-data.

Learn More about Venafi and Customers at Infosecurity 2011

This announcement comes on the heels of the recently announced Venafi Encryption Director 6 product release. Director 6 is recognised by customers and analysts as the only security platform that can fully automate EKCM processes that allow organisations to automate discovery, monitoring, validation, management and security of the most commonly used encryption assets. During Infosecurity 2011, 19th to the 21st April 2011 in London, Venafi will be providing on–demand demonstrations of Director 6 in its booth (# AA52) during exhibition hours.

About Venafi

Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi delivered the first enterprise-class solution to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys—from the desktop to the datacenter—built specifically for encryption management interoperability across heterogeneous environments.

Venafi products reduce the unquantified and unmanaged risks associated with encryption deployments that result in data breaches, security audit failures and unplanned system outages. Venafi customers include the world's most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

There are no zombies in Denver, Colorado says SecurEnvoy

16/3/2011 , London - An amusing incident involving a Denver, Colorado digital road sign that was hacked to display `Zombies Ahead' has been highlighted by SecurEnvoy as a classic demonstration of the need for transparent authentication.

"The Denver incident at the weekend - amusing though it was - centered on the fact that someone opened an unlocked control panel and reprogrammed the warning road sign," said Andrew Kemshall, technical director with SecurEnvoy, the pioneers of tokenless authentication.

"The $64,000 question, once the laughter has died down, is why the highways authority didn't use some form of security, and the answer is that conventional security with its tokens, often just gets in the way of people doing their job," he added.

But, says Kemshall, what if the highway staff were able to authenticate themselves to the road sign - and all manner of emergency highway equipment - using their smartphone?

Let's face it, he adds, almost everyone carries a mobile with them these days, and highway workers in the US are no exception, as they probably use them to communicate with their colleagues and, of course, their base.

But the director of technology with SecurEnvoy went on to say, what if that same mobile could act as an authenticator to many other electronic systems, and not just digital road signs?

It could, for example, allow managers on the highway to enter staff worksheets online, via the regular Internet, but authenticating themselves without the need for passwords and tokens. Just type in your ID to the Web site, and a mobile phone, key in the returned electronic token number, and away you go - securely.

Just as smartphones have revolutionised the security of lone worker employees - a legal requirement in many organisations - so the smartphone can also be used to securely authenticate users without the need for an easily-lost two-factor authentication (2FA) token.

"As we've seen amongst the banks, who are now moving to 2FA devices to enhance online banking security, IDs and passwords are no longer enough to secure online systems - unless you happen to be the memory man and can remember a 12 digit alphanumeric with upper and lower case digits," said Doe.

"This is what makes the Denver, Colorado Zombies road sign incident such a key example of what can happen when security fails because it is too cumbersome and if it’s happened in the US, how long before it happens here. If the workers had been able to use their mobiles to authenticate themselves, this saga wouldn't have occurred," he added.

"This incident may be funny, but it could have been quite nasty if the hacker hadn't been so humorous. All sorts of traffic panic situations could have occurred, and that really is not good."

For more on SecurEnvoy: www.securenvoy.com

For more on Zombie road signs in Denver, Colorado: http://bit.ly/elUaSz

Idappcom blames hacktivists for SpyEye DDoS enhancements

14th March 2011 - The blame for a DDoS - distributed denial of service - enhancement being added on the infamous SpyEye ebanking malware has been laid at the feet of the WikiLeaks hacktivists by Idappcom.

According to the data traffic analysis and security specialist, it was almost certainly the development - and propagation - of the LOIC DDoS utility by supporters of the Anonymous hacktivist group)

http://bit.ly/aPn34c) that spurred cybercriminals into adding the `feature' to SpyEye.

"What we have been witnessing in the black hat hackersphere these last few months is a mirror image of evolutions in the so-called white hat security arena," said Anthony Haywood, Idappcom's chief technology officer.

"The development of the Low Orbit Ion Cannon DDoS utility showed that it is possible for a few concerted Internet users to stage a powerful DDoS attack on major sites such as MasterCard (http://bit.ly/fP0oJr) and this, in turn, made the cybercriminals behind SpyEye realise its potential and add the `feature' the online banking trojan," he added.

The Idappcom CTO went on to say that, had the Anonymous/WikiLeaks DDoS utility not been developed, then the world - on both sides of the white/black hat hacker divide - would have remained largely ignorant of what a powerful weapon a DDoS utility is.

SpyEye, he explained, is a form-grabbing trojan horse malware that operates in a similar manner to Zeus but has been marketed by cybercriminals as a lower-cost alternative darkware application that heists banking credentials from infected users' PCs.

The irony of the DDoS enhancement to SpyEye, Haywood says, is that it will push the price of SpyEye rentals to cybercriminals, and so increase the revenue stream for the developers of the trojan.

"Idappcom's in-depth research into darkware-driven side of Internet traffic, makes us realise what a breakthrough the DDoS enhancement to SpyEye really is. We already know that the development team behind the Zeus trojan has also been working on SpyEye since last October (http://bit.ly/h4IW6l) so it can only a matter of time before Zeus gets this enhancement as well," he said.

"This development really is bad news for those users of the Internet who access their banking system online, as it breathes new life into SpyEye, and prolongs the agony of online banking cybercrime," he added.

"It's to be hoped that the citizen evangelists realise the immense mistake they made in developing such a powerful cybercrime weapon as the LOIC utility, and that the genie really is now well and truly out of the bottle."

For more on the SpyEye DDoS enhancements: http://bit.ly/gly9nV

For more on Idappcom: www.idappcom.com

ISACA’s EuroCACS Conference Demystifies the Cloud

Event for IT Professionals Will Take Place 20-23 March, Manchester

London, England, (8th March 2011)—Global business and information technology (IT) leaders will meet at the European Computer Audit, Control and Security (EuroCACS) Conference in Manchester from 20-23 March to share the latest guidance on key IT security and governance issues facing enterprises today. Hosted by ISACA, a global association of 95,000 IT professionals, EuroCACS will examine topics such as virtualisation, outsourcing, governance, risk and compliance, social computing, social networking and human factors, and cloud computing.

EuroCACS will feature 12 sessions that help attendees demystify the cloud.

Urs Fischer, CISA, CRISC, owner of Urs Fischer IT GRC Consultancy, will examine the benefits that cloud computing can offer from the perspective of cutting costs—a key motivation for the migration from in-house services. Mike Small, information security management advisor, will outline the changes to identity and access management that will exist in the cloud environment, and Peter Wood, CEO, First Base Technologies LLP, will share how to improve information security in the cloud.

Robert Stroud, CGEIT, vice president, CA Technologies will be looking into his ‘crystal ball’ to discuss the impact of new technology and emerging trends, including the affect cloud-computing is likely to have on the future of IT.

Prof. John Walker, CISM, managing director of Secure-Bastion Ltd, will address the challenges and risks involved in implementing cloud-based solutions in his session titled ‘Cloud Computing and the Extended Perimeter: New Age Risk Management’. Walker is confident that cloud-based solutions can match, and even exceed, those in place in-house today, within the areas of operational ownership, reducing cost and increasing efficiency.

“Cloud computing provides opportunities of scale, with the ability to switch into and out of services as dictated by operational need,” said Walker. “With the appropriate governance structures in place, cloud computing can add substantial value to an enterprise by allowing for flexibility and potentially reducing costs substantially.” 

To learn more about the emerging opportunities and technologies that are available to drive the business, visit www.isaca.org/eurocacs. For a complimentary white paper titled Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, visit www.isaca.org/cloud.


With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter: http://twitter.com/ISACANews

Metro Bank Provide Innovative Approach to Banking and Security with Trusteer

London, 8th March, 2011 – Metro Bank, the first new high street bank in the UK for 100 years, today announced it has enlisted the Trusteer Rapport secure browsing service to ensure its customers are protected and secure in their online transactions with the bank, from the start. Having experienced exponential growth since its launch in July, a key consideration in Metro Bank’s selection of Trusteer is that it is a proven security technology that can scale in a rapid growth environment moving from protecting a several thousand customers one day to millions the next.

Metro Bank brings a fresh approach to banking in the UK.

As a new entrant to the industry, Metro Bank has the perfect opportunity to benefit from the latest technology and business practice. One such area is online banking where it believes it is important not only to secure customers accessing their bank accounts online, but also when they spend online on other websites, with the mindset that providing adequate protection for all of its customers’ online financial transactions is paramount.

Craig Donaldson, CEO, Metro Bank PLC, explains further, “When we launched in July, we wanted to differentiate our services from other high street banks.  We take the security of our customers very seriously and that means we have the best security components available.  By adding Trusteer to our armory and offering it as a complimentary service to our customers, we can ensure that not only do we provide an  unparalleled customer service experience, but also that our customers’ money is completely safe and secure”.

“By selecting Trusteer, Metro Bank has plugged into the biggest financial attack database on the internet and can immediately leverage the experience of the most attacked brands in the world to protect their customers against malware and phishing attacks,¨ said Mickey Boodaei CEO of Trusteer.  “When it comes to being able to detect, analyze, and remove financial threats from customers' computers trusteer has proven over and over again that it’s the fastest and most comprehensive technology in the market today.”

Security Begins At Home

Unfortunately, in today’s threat environment, traditional protection methods (firewalls and antivirus software) are inadequate as criminals are continually striving to find ways to circumnavigate them. Zeus is one such example with its ability to morph making it hard for traditional technology to detect. Providing additional security measures helps everyone bank safely online, even those who are not technically savvy, which helps keep costs down. The strength of Trusteer is that it protects customers at their own PC providing a trusted secure access point to the bank, meaning they can transact securely and provides confidence that everyone is protected – bank and customers.

Trusteer Secures Online Banking

When a Trusteer user browses to sensitive websites such as internet banking, Webmail, or online payment pages, the service immediately locks down the browser and creates a secure tunnel for safe communication with the web site. This prevents malware from injecting data and stealing information entered and presented in the browser. Trusteer also removes malicious financial malware it discovers on protected machines. The service is directly connected to the bank and to a 24x7 fraud analysis service. Attempts to steal money from customers are immediately detected by the bank and are blocked using various layers of protection.

Trusteer Secures Online Spending 

When a customer uses their bank card to make an online purchase from a computer protected by Trusteer, the Rapport service automatically detects the action and then prevents fraudsters from intercepting the card number and protects any other personal information entered by the user into the webpage.

About Metro Bank PLC

Metro Bank was co-founded by Vernon Hill and Anthony Thomson. It is based on the successful Commerce Bank model that was established by Vernon Hill in the US in 1973. A UK management team worked with Vernon Hill to help bring this model to the UK market.

Metro Bank operates retail hours, not banking hours. It will be open seven days a week (8am- 8pm Monday to Friday, 8am - 6pm Saturday, 11am - 4pm Sunday and bank holidays), every day of the year apart from Good Friday, Easter Sunday, Christmas Day and New Year’s Day.

Metro Bank PLC. Registered in England and Wales. Company number: 6419578. Registered office: One Southampton Row, London, WC1B 5HA. ‘Metrobank’ is the registered trade mark of Metro Bank PLC.

In relation to acceptance of deposits and provision of investment and insurance services, Metro Bank PLC is authorised and regulated by the Financial Services Authority ('FSA'). In relation to consumer credit business, Metro Bank PLC is licensed and regulated by the Office of Fair Trading and not by the FSA. Most relevant deposits are protected by the Financial Services Compensation Scheme.  For further information about the Scheme refer to the FSCS website www.fscs.org.uk. 

All Metro Bank products are subject to status and approval.

Metro Bank PLC is an independent UK bank - it is not affiliated with any other bank or organisation (including the METRO newspaper or its publishers) anywhere in the world. Please refer to Metro Bank using the full name.

Metro Bank is led by a talented team of UK Executives:

  • Craig Donaldson, Chief Executive Officer, formerly Managing Director of Retail Banking at Royal Bank of Scotland
  • Paul Marriott-Clarke, Managing Director, Retail Banking, formerly Managing Director, Network South, Retail, HBOS
  • Darren Schindler, Managing Director, Commercial Banking, formerly CEO, Oak Capital Group
  • Aisling Kane, Chief Operations Officer, formerly Director of UK Operations at Anglo Irish Bank
  • Mike Brierley, Chief Financial Officer, formerly Director, Business Risk at Barclaycard
  • Mike Hudson, Chief Risk Officer, formerly Group Head of Risk at Hitachi Capital

Its non-executive directors are:

  • Stuart Bernau, former Retail Director, Nationwide Building Society
  • Keith Carby, Co-founder, J Rothschild Assurance
  • Howard Flight, Founder, Guinness Flight Asset Management
  • Ben Gunn, former Chief Executive of Friends Provident Life & Pensions
  • Vernon Hill, Founder of Commerce Bank
  • Eugene Lockhart, former CEO of Midland Bank and MasterCard International and former President, Global Retail Banking at Bank of America
  • Graeme Hardie, Senior Adviser on Retail Markets to the Financial Services Authority (FSA)
  • Anthony Thomson, Chairman, Financial Services Forum

About Trusteer

Trusteer is the world’s leading provider of Secure Web Access services. The company offers a range of services that detect, block and remove attacks launched directly against endpoints such as Man in the Browser, Man in the Middle and Phishing. Trusteer services are being used by leading financial organizations and enterprises in North America and Europe, and by tens of millions of their employees and customers to secure web access from mobile devices, tablets and computers to sensitive applications such as webmail, online payment, and online banking. HSBC, Santander, The Royal Bank of Scotland, SunTrust, Fifth Third, ING DIRECT, and BMO Financial Group are just a few of the companies using Trusteer’s technology. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer. For more information about our services, please visit www.trusteer.com.

Source: Eskenzi PR

BitDefender warns Facebook scammers are targeting Twitter

Evidence suggests authors are looking to replicate their Facebook success

BitDefender®, an award winning provider of innovative internet security solutions, offers evidence supporting the close connection between the Twitter scam reported by the Sophos naked security blog and a similar Facebook scam.

The BitDefender online threats team traced one of the URLs used to spread the #howlong Twitter attack and based on the advanced statistics provided by bit.ly managed to discover  that several Facebook scams such as ‘See your first status’, ‘See who viewed your profile’ and ‘Your top stalker’ had been disseminated from the same user account. This previously tested recipe turns out to be a success among microblogging fans, which confirms that scammers are not necessarily creative but highly profit oriented. Crucially, it also confirms that scams on Facebook are performed by the same people that send scams on Twitter.

Statistics illustrate the proportions of this phenomenon both in point of geographical distribution and click count. For example, two of the malicious URLs used in this scam gathered more than eight thousand clicks. While this may not be an impressive figure in itself, users should be aware that the most frequent scenario is for each Facebook scam wave to use more than two hundred URLs to spread.

George Petre, BitDefender Threat Intelligence Team Leader states, “The similarities between the two scams indicate that their authors did not go to too much trouble when creating them, but that they clearly had efficiency in mind. Considering that social networks are a common layer of all platforms, scam authors may have found the perfect medium in which to cleverly maximise impact and any revenue they may be able to make.”

For the full report please visit Malware City. For a full list of BitDefender 2011 features and benefits by product, please visit www.bitdefender.co.uk or follow BitDefender on Twitter for daily malware alerts.

About BitDefender®
BitDefender is the creator of one of the industry's fastest and most effective lines of internationally certified security software. Since its inception in 2001, BitDefender has continued to raise the bar and set new standards in proactive threat prevention. Every day, BitDefender protects tens of millions of home and corporate users across the globe - giving them the peace of mind of knowing that their digital experiences will be secure. BitDefender security solutions are distributed by a global network of value-added distribution and reseller partners in more than 100 countries worldwide. More information about BitDefender and its products are available at the company’s security solutions press room. Additionally, BitDefender’s www.malwarecity.com provides background and the latest updates on security threats helping users stay informed in the everyday battle against malware.

Analyst report outlines the importance of metadata to prevent data leaks

When it comes to securing and managing data,
It’s all about the metadata

New Analyst Report Outlines the Importance of Metadata Technology to Manage the Digital Information Explosion and Prevent Future Data Leaks

NEW YORK – March 7, 2011 - Varonis Systems Inc., the foremost provider of comprehensive data governance software, today announced the findings of a Technology Spotlight issued by analyst firm IDC, which outlines the emergence of metadata framework technology as a now critical component for managing and securing unstructured and semi-structured data within an organization.

The report, titled “Leveraging Metadata Framework Technology to Take Control of the Information Explosion,” highlights how the widespread use of collaborative content technologies is fueling the aggressive growth of unstructured and semi-structured data. While collaboration produces highly valuable information, it also introduces significant risk due to increasingly complex and dynamic access control requirements.

“Digital integrity is a critical business differentiator for any organization. The high-profile data breaches in the last three years demonstrate that organizations who fail to protect sensitive data will incur serious regulatory and legal liabilities, along with revenue and market share declines,” said Vivian Tero, program director, Governance, Risk & Compliance Infrastructure at IDC. “Visibility, actionable intelligence and automation are critical to managing the explosion of unstructured and semi-structured content in distributed systems.”

Varonis® Metadata Framework™ technology is designed to nonintrusively collect critical metadata about unstructured and semi-structured data. Varonis customers have the ability to completely standardize unstructured and semi-structured data protection and management for their file systems, NAS, SharePoint Sites and Exchange mailboxes and public folders with the Varonis Metadata Framework technology that forms the foundation of Varonis software. Organizations can effectively and automatically manage data access control, ownership, classification, entitlements and authorization processes on the platforms that host unstructured and semi-structured data. The Varonis Metadata Framework enables organizations to expand digital collaboration boundaries safely while at the same time significantly increase IT workforce productivity for daily data protection and management tasks.

“The findings of this technology spotlight underscore the need for organizations to have metadata framework technology in place that automates the process of answering the following questions: Who has access to data, who is using their access, who shouldn't have access, who owns the data, and what data is sensitive?’” said Yaki Faitelson, chief executive officer, president and co-founder of Varonis Systems. “With IT departments already stretched thin, the days of manually verifying data entitlements and remediating compliance violations are not only impractical and time consuming, but also detrimental to a company’s bottom line.”

IDC forecasts that the total digital universe volume will increase by a factor of 44 in 2020. According to the report, unstructured data and metadata have an average annual growth rate of 62 percent. More importantly, high-value information is also skyrocketing. In 2008, IDC found that 22 to 33 percent of the digital universe was high-value information (data and content that are governed by security, compliance and preservation obligations). Today, IDC forecasts that high-value information will comprise close to 50 percent of the digital universe by the end of 2020. 

Drivers for a metadata framework include:

· Data loss is rising: IDC research notes that organizations average 14.4 unintentional data losses a year, mostly through employee negligence. Organizations need to ensure that controls are in place to mitigate the risks of data leakage, theft, loss and integrity arising from excessive access rights and permissions and non-existent audit trails. Excessive and/or out of date privilege and access rights were considered as having the most financial impact on the organization.

· IT is drowning in the data deluge: IT budgets are, on average, growing at less than one-fifth the forecasted annual growth rates of digital information, according to IDC. At the same time, manual approaches to managing and protecting information have become unwieldy, error-prone and ineffective. IT needs automated analysis of the permissions structure to determine which containers require ownership, and analysis of actual access activity to identify likely data owners.

· Stale data impacts the bottom line: Inactive and orphaned folders can be as high as 70 to 85 percent of the data in distributed systems. The majority of organizations have no process to identify the owner of files, and many are unable to determine which individuals and roles are authorized to access the data.

· Impact on the cloud: Without adequate information on the security and compliance profile of the data – including data ownership, access controls, audits and classification – cloud computing initiatives are amorphous and imprecise. CFOs and CIOs will be hesitant to move critical data and processes into the cloud without visibility on access and ownership, traceability and data segregation.

· Automation is key to success: Too often, users have access to significant amounts of data that isn’t relevant to them. Organizations therefore need to ensure that users and roles are aligned to correct groups, and that these groups enable access to the appropriate data containers.

About the Varonis® Metadata Framework™

Four types of metadata are critical for data governance:

  • User and Group Information – from Active Directory, LDAP, NIS, SharePoint, etc.
  • Permissions Information – knowing who can access what data in which containers
  • Access Activity – knowing which users do access what data, when, and how
  • Sensitive Content Indicators – knowing which files contain items of sensitivity and importance,

and where they reside

The Varonis Metadata Framework non-intrusively collects this critical metadata, generates metadata where existing metadata is lacking (e.g. its file system filters and content inspection technologies), pre-processes it, normalizes it, analyzes it, stores it, and presents it to IT administrators in an interactive, dynamic interface.

The Technology Spotlight paper is adapted from "IDC Worldwide Governance, Risk, & Compliance Infrastructure 2010-2014 Forecast: Increased Regulatory Oversight, Privacy, Cloud Computing and Smart Cities Drive Emerging GRC Obligations 2010" by Vivian Tero; IDC doc #222214. The paper is available online at varonis.com/metadata.

Free 30-day Trial Aids with Data Leak Prevention

Enterprises can receive a free, 30-day trial of Varonis DatAdvantage to help them with their data governance assessments by visiting go.varonis.com/go/17982 Within hours of installation, customers can conduct an automated permissions audit, generate reports, and see which users are accessing the data and how.

About Varonis Systems
Varonis is the leader in unstructured and semi-structured data governance for file systems, SharePoint and NAS devices, and Exchange servers. The company was named "Cool Vendor" in Risk Management and Compliance by Gartner, and voted one of the "Fast 50 Reader Favorites" on FastCompany.com. Varonis has over 3,000 installations worldwide. Based on patented technology and a highly accurate analytics engine, Varonis' solutions give organizations total visibility and control over their data, ensuring that only the right users have access to the right data at all times. Varonis is headquartered in New York, with regional offices in Europe, Asia and Latin America, and research and development offices in Hertzliya, Israel.

Varonis, the Varonis logo, DatAdvantage and DataPrivilege are registered trademarks of Varonis Systems in the United States and/or other countries and Data Classification Framework and Metadata Framework are under a registration process in the United States and/or other countries. All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.

Source: Eskenzi PR Ltd. for Varonis Systems

DES Launches New DESlock+ Enterprise Server

· DES revolutionises key and policy encryption management by moving deployment into the cloud

Taunton, UK, 4th March 2011 – Data Encryption Systems Limited (DES), the UK-based leader in software copyright protection, data encryption and winner of Computing Security's Encryption Product of the Year 2010, has today announced the release of its new DESlock+ Enterprise Server.

The new DESlock+ Enterprise Server brings cloud-based management to endpoint encryption, allowing centralised control of encryption keys and policy beyond the perimeter of corporate networks. Companies will be able to extend encryption security policy to include home and mobile networks by allowing users to send updates on key management through the cloud, meaning data can be updated and accessed from anywhere. David Tomlinson, Managing Director for DES, comments:

“End-point encryption is mostly targeted at mobile workers using laptops and USB flash drives, as it allows users to protect their data even from remote locations, ensuring they are meeting data protection and compliance requirements at all times. However end-point encryption still often relies on users connecting to a corporate network to manage their encryption keys and software policy, which can cause an issue for users who are seldom in the office.

Previously DESlock+ Enterprise Server has allowed for management of endpoints via the internet, however setup and configuration through this method is complex, slow and expensive. By moving the deployment component into the cloud all connections from client and server become outgoing, making it easy and cost effective for any organisation to remotely manage endpoint encryption, meeting regulatory conditions and completing security audits along the way.”

Cloud-based management is a game-changing technology for software products with complex and variable configurations, anti-virus being an ideal example. Encryption, however, poses a different set of problems; most importantly not wanting to store encryption keys on an internet web-server. DES’s new patent-pending solution splits part of the Enterprise Server off, moving the deployment component into the cloud to create a Proxy Server. This Enterprise Proxy behaves in a similar way to an email server, with client updates synched out for collection by the end-user, and status responses synched back for collection by the Enterprise Server. With communications protected by SSL encryption, the data posted through the Enterprise Proxy is protected with 1024 bit RSA and 256 AES.  Tomlinson explains:

“Our technology is genuinely revolutionary, and our patent pending status confirms this. No one else is doing this at the moment and it can transform the way key management is handled for remote workers.  The Enterprise Proxy is hosted in a 3 tier data centre in London, but for anyone not wishing to use this service, it may be hosted on their own web-server, with their own ISP or even run on the same computer as the Enterprise Server. Our Enterprise Server and its Proxy component can therefore offer users the convenience and cost-benefits of a cloud-based management service, without the risks created by moving encryption keys and databases off-site. The DESlock+ Enterprise Server offers customers the ability to maintain control of remote stations and staff, as well as the advantage of simplistic deployment. Our new system changes the rules for managing endpoint encryption.”

To compliment DES’s new feature enhancements, the Enterprise Server management console has been significantly improved. Now browser-based and available to multiple users, it may be used by Administrators with full access to Encryption policy settings and encryption keys or help-desk users who are limited to user recovery and remotely resetting passwords, which allows more flexibility with day-to-day management. Other key features include:

· Web-Based User Interface – A multi-user interface available from most web browsers from any point on the network

· Internet Connection – Client updates and status responses are encrypted and transmitted over the web

· Licence Management – Multiple organisational units and group licences can be managed from a single interface

· Encryption Key Management – Keys may be added, removed or erased remotely, with updates targeting users and/or workstations

· Encryption Policy Management – The product facilitates the full remote control of software features and endpoint encryption policy

· Assured Security – DESlock+ is CESG CCTM accredited and FIPS 140-2 level 1 validated

This update coincides with DES’s move to a per-user licensing structure, which extends to users’ home PC’s at no extra cost.  This means that staff using home computers for work may be supplied with a corporate install to be managed centrally as part of an enterprise-wide data security program. Tomlinson concludes:

“We have launched the Enterprise Server in response to the recent remote working phenomenon and are delighted that it provides a complete data protection solution that goes beyond the traditional corporate network. This is just part of an overall drive that DES has undertaken to move with business and provide solutions that meet the needs of mobile workers. We have also recently added 2 new features for the DESlock+ Standard Edition, including removable media encryption and portable encryption, as well as moving to a per user licensing structure, giving more flexibility to mobile workers at an unbeatable price. I believe it is with innovation such as this that DES will continue to lead the market for data protection and security.”

To find out more, please visit www.des.co.uk.

About Data Encryption Systems (DES)

Since 1985, Data Encryption Systems has been the UK’s most successful manufacturer of software protection dongles, software copyright protection systems, and secure handset reprogramming accessories. Data Encryption Systems markets and supports products used by tens of thousands of businesses worldwide to protect applications, copyrighted materials, medical records, government files and other confidential and personal information. The company’s flagship product, DESlock+, has been awarded SC Magazine’s Best Buy for three successive years and was also the winner of Computing Security's Encryption Product of the Year 2010.

Malware on the Decline? Or Is Evasion on the Rise?

PandaLab’s recent malware findings report indicates that the number of infected clients has decreased in February in relation to January. The data for this research was gathered from their antivirus tool. On the face of it this is a surprising fact as security researchers are continuously discussing an epidemic of client-side threats where there is a consistent increase in malware and their variants. However, looking closely at malware we see that hackers are investing in evasion techniques to bypass security controls, such as anti-virus. More so, as hackers are releasing new variants of client-side threats at such a rapid rate, anti-malware detection tools are faced with the nearly impossible task of keeping up-to-date with all new - and old- variants.

For instance, in our labs we have witnessed quite a few Trojans which were not detected by some common AVs for over a week. Other types of malware are used to sting victims very quickly so even if an AV detects the threat, it is already too late. Take for example the re-emergence of - what Imperva has dubbed - the "Boy in the Browser" (BitB) Trojan. This Trojan, once executed on the victim's machine, re-routes the victim's traffic to pass through an attacker controlled server. The BitB does this by tampering with the mapping of hostname to network address mechanism. Once this persistent change to the configuration file is performed, the exploit code is then removed from victim's machines. As a consequence, even if that user updated their latest AV content the next time they switched on their computer, no AV mechanism would detect this modification as the malware is not even installed on the machine.

We believe that although these results show a drop in malware, in reality, client-side malware will just continue to increase making the task of ensuring security on the client's machine all the more implausible. Ultimately, consumer infection has become a business problem. This means that businesses need to start dealing with this growing threat. While providers should urge consumers to be prudent, they must learn how to interact with infected consumers and create a safe business environment for them regardless of the general threat. These solutions include identifying account takeover, defeating phishing campaigns, detecting infected clients, interacting with infected clients and even sandboxing client sessions

For more information see the Imperva Blog http://blog.imperva.com/

Fraudsters Use Bogus Support Calls to Try and Hijack Peoples PCs

Submitted by Mickey Boodaei, Trusteer CEO

With nearly 100 banks that offer Trusteer’s Rapport for secure web access we are now reaching 20 million installations.  Our large install base and the level of trust people have developed in our brand provide us with a unique view of new types of fraud as users contact our free 24x7 support center to get advice. One of these recent interesting incidents described here remind us that fraud can take many shapes and forms

We recently received a report from a concerned Rapport user who said she had a phone call from someone claiming to be from Microsoft Windows Solutions saying that, because of error messages from her computer, he was tasked to help fix any problems she had.  In fact he was not from Microsoft and tricked her into letting him connect to her PC and then tried to con her into buying bogus security products.

The recipient of the call initially thought the call was genuine and allowed the caller to remote access her computer - and show her the "viruses which had infected my system."

"When he tried to sell me some software I ended the call and did not give him any personal details, credit card or otherwise. Nevertheless, I'm worried that my computer may be vulnerable to future attack", she told our help desk, asking for assistance.

According to our Rapport user, the telephone caller led her to a Web site that allowed her to download a free remote access application that allowed him to access her computer.

"He then showed me a long list of files - all viruses, he said, and some very dangerous. I told him that I had good security on my computer", she said, adding I could not understand how that could happen.

"He said he was transferring me to his supervisor who would solve these problems. The supervisor showed me yet more virus files, which he said were located in a hidden part of the computer and he couldn't therefore clean it up without Windows 7 being installed (I run Vista) and some new security software," she said.

Whilst it does not appear the scam artists behind this call infected our Rapport user, they then tried to sell her a £300 security application, which they could offer her much more cheaply.

"As he rang off, he warned me that my computer was in very bad shape and would crash any day. The call lasted around 20 minutes and I feel like such an idiot to have been taken in for that length of time, and very nervous that they had all the time in the world to infect my computer," the Rapport user told our researchers. 

Well, the good news is that our support team was able to work with this lady and ensure that her machine was not infected. 

We searched our support database for similar incidents and indeed we do see users coming in with similar reports from time to time. From that we can conclude that this is indeed a common method of fraud that users should be aware of and avoid. It’s easy to think that you’d never fall for this type of fraud. But keep in mind that these fraudsters are very experienced and good in what they do. If it’s not you than it could be your friend, your parents, or your spouse who may be taken in by this sort of plausible-sounding `security support calls. 

We’ve recently added an awareness center to our Rapport secure web access software. The awareness center gives you information about recent scams and security alerts that you should be aware of. It’s incorporated into the Rapport console and you can choose whether to visit it yourself or set it to pop up an alert when a new report is available. We believe this tool could be useful in keeping you in the know and providing you with tips on how to avoid new types of threats.

Every little bit helps. As the popular supermarket slogan says, and this is no less true in the IT security space. 

Say safe when using the Internet.

For more information see http://www.trusteer.com/blog

ISACA expert claims virtualisation dates back to 1960s

London, UK 2nd March 2011 - A leading IT security expert claims that, despite all the media hype, virtualisation is actually not a new technology, and dates all the way back to the 1960s. Professor John Walker, member of the Security Advisory Group of ISACA’s London Chapter and CTO of Secure-Bastion, said that, although it’s not a new technology, it has recently come to the forefront again and offers organizations many benefits to the enterprise IT environment.

Professor Walker, gave an online presentation in which he said that whilst virtualisation's benefits include reduced server sprawl and a quicker build time, there are clear security issues.

As with any system, or application configuration, he said, control is vital to security, and its professionals should remember that this security principal applies to the on-line and off-line images alike.

IT professionals, he went on to say, should take care to ensure that new builds are tracked, and that, again, as with conventional systems and applications, virtualised environments need to be patched up and fixed.

"They also suffer from vulnerabilities," he told his audience.

Professor Walker also detailed his ”ring security strategy,“ which defines the virtual environment as the operating system block and three rings:  ring 0, ring 1-2 and user applications.

Despite the potential security headaches associated with virtual networks, Professor Walker said that VLANs have become a great security enabler for the enterprise and that VM environments are ideal platforms for IT testing.

VM systems are also ideal tools for the mobile security tester, he went on to say, adding that this is because they support the running of multiple operating systems, multiple applications and multiple tools.

"And if you break it, you just recopy the image," he explained.

The cloud, however, changes a number of things. Professor Walker said that the advent of cloud computing has seen¾and will continue to see¾the use of virtualisation advance.

The question is, he added, are VM applications getting too expensive?

For more details of Professor's Walker's presentation and a recording: http://bit.ly/gxRJTz

For further guidance on virtualisation, ISACA’s white paper, Virtualization:  Benefits and Challenges, and a complimentary Virtualization Security Checklist are available as a complimentary downloads from www.isaca.org/virtualization.


With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter at http://twitter.com/ISACANews

Source: Eskenzi PR

400 percent increase in USBs left at the dry cleaners


Company Sees 400 Percent Increase in USBs Left Behind in Clothes to be Dry Cleaned

LONDON, U.K, and ADDISON, Texas—March 1, 2011—CREDANT Technologies, the trusted data protection experts, recently conducted a survey of dry cleaners and laundrettes in the U.K. and discovered more than 17,000 USB sticks were left behind in 2010 in clothes left to be dry cleaned. This is a 400 percent increase from 2009. More than 500 dry cleaners and laundrettes from around the U.K. participated in the research survey.

Tweet this: #CREDANT announces results of UK launderette research; 17K USBs left behind, putting potentially proprietary and sensitive data at risk

“The numbers of USB sticks forgotten in trousers and shirt pockets is staggering and is a direct result of growth in ‘IT consumerisation,’ as consumers today carry more and more mobile devices than ever before, such as smart phones, laptops, iPads, USB sticks and other portable devices,” said Sean Glynn, vice president of marketing, CREDANT Technologies. “Inevitably, unsuspecting consumers leave the USB sticks behind, creating a potential risk for their employers if these devices have proprietary information on them and end up in the hands of criminals.”

IT consumerisation refers to the incremental use of personal, consumer electronics and web services in an enterprise environment, particularly mobile technology that can be used to store personal and private data. USBs are the cheapest and most convenient means of storing private data; however, they are most likely also the most easily lost devices. With so many thousands of USBs left in dry cleaners alone, the probability increases that valuable corporate data resides on them, presenting a potential security risk for a consumer’s employer. In the U.K., the Information Commissioner’s Office (ICO) was given the power to issue fines of up to £500,000 in April 2010 for breaches of the Data Protection Act (DPA). Four major fines have been issued since then, with two local authorities falling victim this month—Ealing Council for £80,000 and Hounslow Council for £70,000.

“The public sector is looking to make savings of £81billion over the next four years, and at the very least, this could be one way to make up some of the deficit,” said Glynn. “There remains one thing more important even than the potential £8.6 billion in revenues that could be generated if we were to assume that each of these USB sticks contained sensitive information, and were not encrypted. This type of assertive action from the ICO would make the corporations and organisations that regularly access and use potentially sensitive information finally put the policies, technologies and protections in place that can mitigate this risk.”

Glynn continued, “Such technologies are available today in the market, offering the centralised detection, encryption, auditing and compliance reporting that organisations need to ensure the protection of their data. With the best intentions in the world, the reality is devices are often left behind and the information they contain could be devastating if disclosed—over and beyond the ICO fines. Organizations need to plan for this when developing their security strategies.”

Research Methodology

CREDANT conducted outreach via phone to more than 500 dry cleaners and launderettes in the U.K. during December 2010 and January 2011 and extrapolated these figures based on 4,500 dry cleaners in the UK.

About CREDANT Technologies

CREDANT Technologies is the trusted expert in data protection. CREDANT’s data security solutions mitigate risk, preserve customer brand and reduce the cost of compliance, enabling business to “protect what matters.” CREDANT has been recognized by Inc. magazine as the #1 fastest growing security software company in 2008 and 2007; was selected by Red Herring as one of the top 100 privately held companies and top 100 Innovators; and was named Ernst & Young Entrepreneur of the Year® 2005. Austin Ventures, Menlo Ventures, Crescendo Ventures, Cisco Systems (NASDAQ:CSCO), and Intel Capital (NASDAQ:INTC) are investors in CREDANT Technologies. For more information, visit www.credant.com.

Source: Eskenzi PR

Use your smartphone to log into cloud and secure systems at your peril says Lieberman Software CEO

Research by a US university undergraduate that has revealed that Google Android apps are sending user credentials in the clear comes as no surprise to Phil Lieberman, CEO of Lieberman Software. "According to newswire reports, Dan Wallach's research has revealed that several Android apps - including an approved Facebook application - are sending all data but the password ‘in the clear.’ This is absolutely typical of open source software, since there is little incentive for the software developer to use secure protocols unless the destination system requires this,” he said.

"And this is the biggest issue with open source software. Whilst the economic imperative to go open source is clearly very strong, companies that use open source, such as Android, which is based on Linux code, also need to ensure their software is robust on the security front, and this process costs money," he added.

Lieberman, whose company specialises in privileged identity management and security solutions, went on to say that Android apps are an interesting case as, unlike most open source software, the apps are usually designed to run on as as-is basis, so adding security to the IP transmission side is not always as easy task.

Lieberman said: “I would go one step further and state that this disclosure is but, one early warning shot about the use of cloud computing and new platforms such as Android and Windows Mobile 7.  The other element is the stark reality that computer science graduates rarely, if ever, receive any training on how to write secure applications. So it should come as no surprise that many applications created by these same people are insecure. Depending on the platform provided by a vendor, the core security available to the developer (given that they know what they are doing), can also be woefully inadequate.  As a consequence, developers of applications frequently find themselves needing to add layer upon layer of additional technology which may beyond their expertise and budget.  Because security is frequently an "out of sight, out of mind" problem, it does not get addressed/funded until someone complains or something bad happens.

With apps for other smartphone platforms - such as BlackBerry and iOS - for the iPhone, iPad and iPod touch - there are vetting procedures in place to ensure that a third-party application does not get offered without some sort of assurance that it is robust from a security perspective.

At the end of the day, however, Lieberman says it is difficult to guarantee that a smartphone app is as secure as a desktop application, for the simple reason that few smartphone users in a corporate environment have access to smartphone app security checking.

This is why, he explained, Lieberman Software is so big on privileged account security, since using an account that has high user privileges on a smartphone - especially across public access WiFi channels, which can easily be eavesdropped - is a high risk activity.

Lieberman said: “So this story is a great lesson that it is time for developers to hit the books on how to secure their applications, and platform vendors need to complete their security and encryption suites to make it “easy” for developers to write secure applications.”

"Yes, it is convenient to access a Web interface to a computer system using a smartphone whilst on the move, but his is why privileged identity management systems exist. Carefully controlling what any user can do - or cannot do - is at the heart of a good security system," he said.

"I suspect you will find many other examples of smartphone apps that have a security hole in them. The sad fact is that, until smartphone-transmitted someone's credentials are ransacked to commit a serious cybercrime, we don't get to hear about this until it's too late," he added.

For more on the latest Google Android security issues: http://bit.ly/gmdt8I

For more on Lieberman Software: www.liebsoft.com

Source: Eskenzi PR