Security Concerns over Cloud Storage

Many more businesses are moving their data storage requirements to cloud service providers but are they making provision for the securing of that data, asks Managing Director of data security company Digital Pathways, Colin Tankard.

“ The responsibility for securing your data being stored in the cloud remains with you, as it would if you held it on your own server. I wonder how many businesses understand this? ” says Tankard.

Using the cloud offers great benefits especially in terms of cost reduction. However, as businesses face increasing pressure regarding issues of compliance and privacy the need to ensure robust data security increases expotentially.

“I think some businesses may well be put off using the cloud because of the security issue but there are good solutions out there in the form of robust encryption products.

“Digital Pathways, for example, offers its clients the Vormetric data security product for Amazon web services which offers rapid deployment, is granular, offers separation of duties, is simple and portable.

“One thing is certain, employing the best data security is an absolute must for all businesses situations but especially if you are going to use the cloud” concludes Tankard.

Source: Joy Moon. PR Consultant for Digital Pathways

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Lieberman Software warns on new hacking trend of malware-driven pervasive memory scraping

Reports are coming in of a new trend in hacking techniques. Known as ‘pervasive memory scraping,’ the technique relies on the fact that certain areas of Windows memory are only occasionally overwritten, meaning that data from software that has been closed down on the PC, can still remain for some time after.

According to Lieberman Software the red flag was raised recently by the SANS Institute about this new hacker technique. Since then hackers have used the technique to grab personally identifiable information (PII) from users' PCs.

“The SANS Institute is reported to have spotted evidence of this type of attack methodology on an increasing basis. This means that, where a Windows PC user loads a secure application to view data, views that data and then closes the application, there is a chance that the data may continue to reside in the computer's memory for some time after," said Phil Lieberman, CEO of Lieberman Software.

“Put simply, this means that, even if the secure software checks for the presence of trojans and similar credential scanning malware - and locks down the malware whilst it is loaded - once the application is closed, the contents of the computer memory can still be subsequently lifted by a remote scanning piece of malcode,” he added.

The solution to this is quite simple said Lieberman. Users must either use a secure Web browser with a memory sandbox feature - meaning all trace of the viewed data disappears along with the browser as it closes - or that secure data should not be loaded on to the computer in the first place.

Secure/sandbox browser sessions, he explained, are easy to set up and use, but their functionality and interaction with third-party applications on the host computer is severely restricted.

This means, said Lieberman, that the only real solution to the problem of pervasive memory scraping is to store and control private data on a centrally-managed basis.

Using this methodology, he added, ensures that private information is stored and accessed using a data-centric, policy-based protection basis across all endpoints.

"It also, unlike secure/sandbox Web browsing, means that there is minimal impact on the user experience and operational processes in the course of regular business operations," he said.

“The fact that the SANS Institute has expressed concern about this security issue should be a red flag in itself. IT security managers need to be aware of this problem, and how to remediate it without it costing the earth, and causing efficiency issues within their organisation,” he said.

For more on the Pervasive Memory Scraping security issue: http://bit.ly/ijhU2m

For more on Lieberman Software: www.liebsoft.com

Source: Eskenzi PR Ltd.

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

95% of parents found children accessing internet pornography

Survey reveals that while most respondents use parental controls, teenagers often succeed in uninstalling or unlocking this software

BitDefender®, an award winning provider of innovative internet security solutions, has today announced the results of a new study that shows 95% of parents have noticed that their children had accessed internet pornography, especially during homework time. According to the study, the average age of a child starting to look for adult content sites is just over 11 years old.

The BitDefender study is based on interviews with 1,570 parents from five different countries, focusing on their children’s internet usage habits and their own habits, especially those related to sexually explicit materials. The study also found that while 97% of respondents used parental control software to block access to adult websites, 12% of the teenage sons or daughters succeeded in uninstalling or unlocking this software.

“One of the most interesting findings from this study is related to parental control. Even if the parents understood the necessity of such a piece of software and the need to monitor their teenagers’ activity on social networks and on the internet in general, children will always find a way to access adult content,” said Sabina Datcu, BitDefender E-Threats Analysis and Communication Specialist and author of the study. “BitDefender believes this sends a clear message to parents - it’s more important than ever to take steps to protect children from exposure to sexually explicit materials found on the internet.”

62% of adults admitted that they themselves had searched for and accessed adult content sites. Moreover, 87% said they would allow their children to look for sexually explicit materials if the children were 19 years old or older.

BitDefender’s Internet Security 2011 software includes parental control features to help monitor and control what websites children can visit. More details of the survey can be found on MalwareCity.com. For a full list of BitDefender 2011 features and benefits by product, please visit www.bitdefender.co.uk or follow BitDefender on Twitter for daily malware alerts.

BitDefender is the creator of one of the industry's fastest and most effective lines of internationally certified security software. Since its inception in 2001, BitDefender has continued to raise the bar and set new standards in proactive threat prevention. Every day, BitDefender protects tens of millions of home and corporate users across the globe - giving them the peace of mind of knowing that their digital experiences will be secure. BitDefender security solutions are distributed by a global network of value-added distribution and reseller partners in more than 100 countries worldwide. More information about BitDefender and its products are available at the company’s security solutions press room. Additionally, BitDefender’s www.malwarecity.com provides background and the latest updates on security threats helping users stay informed in the everyday battle against malware.

Source: Media Safari

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Parallels to leverage Scality RING technology in its "Parallels Automation for Cloud Infrastructure"

Orlando, FL - February 2011 - Cloud storage pioneer Scality announced an OEM partnership that will see Scality RING provide the underlying Cloud Storage technology in Parallels' newly announced "Parallels Automation for Cloud Infrastructure". Parallels' cloud infrastructure solution enables service providers to rapidly and profitably deliver the infrastructure needed for cloud computing and cloud storage services to SMBs and developers - in particular, enabling service providers to compete with established cloud players.

Scality CEO Jérôme Lecat said: "Once a new technology has been deployed and proven, the key to success is speeding up adoption, and this is where Scality RING is today. After deployment with seven service providers in Europe during 2010, Scality needs partners who can accelerate adoption of our ground-breaking technology for the Hosting Service Provider market.

"Parallels is the perfect fit, thanks to the company's experience in distributed storage and its understanding of the needs of these customers. Parallels Automation for Cloud Infrastructure provides the ultimate level of manageability for service providers who want to offer a complete suite of Cloud Services, ranging from computing and virtualization to storage. As a trusted partner with extended experience of service providers, Parallels will leverage our technology to deliver the perfect product for its customers," he added.

Amir Sharif, Vice President of Virtualization and IaaS at Parallels, said: "We were introduced to Scality by a customer, who had already deployed it. After conducting a deep analysis, we were impressed by the maturity of the technology and its market viability. Scality enables us to deliver a fully integrated Cloud Storage solution to our customers."

Parallels Automation for Cloud Infrastructure is the industry's only infrastructure cloud solution that supports all key hosting processes like provisioning, billing and self-service management. Unlike competitor products, Parallels Automation for Cloud Infrastructure can be managed through an integrated management panel enabling IT professionals to self-create, self-scale, and self-manage virtual datacenters.

The Scality RING platform creates a series of nodes that are built using off-the-shelf servers. Each node on the RING controls its own segment of the overall storage pool. By monitoring other segments and constantly replicating - as well as load-balancing - the data, the storage becomes self-healing in the event of a drive or segment of the pool failing for whatever reason. Scality technology is used by service providers to deploy Storage-as-a-Service offerings, by email providers to store emails for millions of users, and by web service providers managing billions of files with very high performance expectations, either for Web 2.0 or business applications.

Scality is the developer of RING, a software platform enabling cloud storage to easily scale up to exabytes using commodity server hardware with direct attached storage.

Scality delivers the performance and reliability of a SAN- or NAS-based architecture without the hassles of volume management at one third to half of the cost.

Scality is used by Service Providers to deploy Storage-as-a-Service offerings, by Email Providers to store emails for millions of users, and by web services managing billions of files with very high performance expectations, either for Web 2.0 or business applications. Scality RING is based on a patented object storage technology, which delivers high availability, ease of operations and total control of your data.

For more information please visit www.scality.com or follow Scality on Twitter: @Scality.

Parallels is a global leader in virtualization and automation software that optimizes computing for consumers, businesses, and Cloud services providers across all major hardware, operating systems, and virtualization platforms. Founded in 1999, Parallels is a fast-growing company with more than 700 employees in North America, Europe, and Asia. For more information, please visit www.parallels.com.

Source: Omarketing, for Scality

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Connectria selects Scality to launch a public cloud storage service

Scality's first 'Storage as a Service' customer in North America

San Francisco, February 2011 - Scality announced that Connectria - one of the longest-standing, most experienced, enterprise-class hosting businesses in North America - has selected Scality RING as the core technology of its new Storage as a Service offering.

Rich Waidmann, founder and CEO of Connectria, said: "At Connectria, we are relentless in our pursuit of excellence, because many businesses depend upon us and, as our customers, they deserve the best - we have made this philosophy a cornerstone of our business since 1998 and it's held us in good stead.  With that in mind, that we are happy to become Scality's first Storage as a Service customer in North America says everything you need to know about how we view Scality and Scality RING."

The Scality RING platform creates a series of nodes that are built using off-the-shelf servers. Each node on the RING controls its own segment of the overall storage pool. By monitoring other segments and constantly replicating - as well as load-balancing - the data, the storage becomes self-healing in the event of a drive or segment of the pool failing for whatever reason.  Scality technology is used by service providers to deploy Storage-as-a-Service offerings, by email providers to store emails for millions of users, and by web service providers managing billions of files with very high performance expectations, either for Web 2.0 or business applications.

Serge Dugas, chief sales & marketing officer for Scality, said: "After a year of successes in EMEA markets, 2011 is poised to be a very strong year in North America for Scality.  We are proud to have been selected by Connectria after a thorough review of storage infrastructure solutions by Connectria's Rusty Putzler, vice president - engineering."

Scality is the developer of RING, an application centric cloud storage system, enabling cloud storage to easily scale up to exabytes using commodity server hardware with direct attached storage.

Scality delivers the performance and reliability of a SAN- or NAS-based architecture without the hassles of volume management at one half of the cost.

Scality is used by Service Providers to deploy Storage-as-a-Service offerings, by Email Providers to store emails for millions of users, and by web services managing billions of files with very high performance expectations, either for Web 2.0 or business applications. Scality RING is based on a patented object storage technology, which delivers high availability, ease of operations and total control of your data.

For more information please visit www.scality.com or follow Scality on Twitter: @Scality.

Connectria Hosting (www.connectria.com) is a profitable and growing global provider of cloud, managed and complex hosting services. Packaged or customized solutions are available for technologies including OS, virtualization, database, email/collaboration and application/web servers. Connectria's hosting expertise represents one of the industry's widest range of supported platforms from a variety of vendors, including Microsoft, IBM, Oracle, HP, Dell, SUN, Citrix, VMware and Open Source (e.g. Linux/LAMP, MySQL).

A privately held company, Connectria has built its business through reinvesting profits and without any debt or equity financing. Connectria operates world-class Data Centers, Network Operations Centers, and Engineering Centers located in St. Louis, Missouri and Philadelphia, Pennsylvania. From these facilities, Connectria operates as a virtual extension of its clients' IT organizations.

Source: Omarketing, for Scality

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Flash disk security is very different to magnetic drives says Origin Storage

Reports that certain types of flash disks lack a secure deletion facility highlights the fact that solid state storage devices are very different in their architecture than magnetic drives, says Andy Cordial, managing director of storage systems specialist Origin Storage.

"A lot of companies have made the understandable mistake of presuming that flash drives are a slot-in replacement for magnetic drives, when in fact nothing could be farther from the truth," he said.

"And as prices have fallen, a lot of firms have gone for solid state drives (SSDs) to tap into the advantages of rapid boot times, especially or relatively smaller capacity flash drives," he added.

Cordial says that researchers at the University of California have discovered that the electronic data shredding procedures - aka data sanitisation - do not always work the same on SSDs as on magnetic drives .

This, he explained, is due to the complex electronics on some of the latest generation of SSDs, which intercepts a data delete request and often only deletes the header, rather than the full data clusters that go to make up a given file on a magnetic drive.

This means, the Origin Storage MD says, that so-called `disk doctor'

programs, which allow data retrieval on a sector-by-sector basis, without resorting to requiring header data, as an operating system normally does, can effectively undelete supposedly sanitised data files on an SSD.

The bottom line, says Cordial, is that `conventional' data overwrite commands which have worked well on magnetic drives since the earliest days of PCs in the 1980s, cannot be relied upon to function in the same manner with a flash drive.

"As the university researchers found, the erase procedures provided by manufacturers should be verifiable as well, so that users could easily check post-sanitisation that their data had been removed," he said.

"We could have told the researchers that. This is why we recommend SSDs for specific applications and magnetic drives for other uses. It's also why, where high levels of security are required, we recommend magnetic drives with additional levels of security, such as PIN/password entry system on our Data Locker Pro series ," he added.

For more on the SSD delete research findings: http://bit.ly/h0mgmM

For more on Origin Storage: www.originstorage.com

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

New Financial Trojan OddJob Keeps Online Banking Sessions Open after Users “Logout”

We have found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name we have given this Trojan, keeps sessions open after customers think they have “logged off”’, enabling criminals to extract money and commit fraud unnoticed.   This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital - and online monetary - assets.  We have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed.

Our research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods.  Trusteer has already warned Financial Institutions that OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark.

The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate. We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware's functionality may not be 100 per cent complete as the code writers continue to refine it.

OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.

We have extracted OddJob’s configuration data and concluded that it is capable of performing different actions on targeted Web sites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages.

All logged requests/grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks, also in real time, but hidden from the legitimate user of the online bank account.

By tapping the session ID token - which banks use to identify a user's online banking session - the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.

The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc.

Another interesting feature of OddJob, which makes it stand out from the malware crowd, is its ability to bypass the logout request of a user to terminate their online session.  Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, when in fact the fraudsters remain connected, allowing them to maximise the profit potential of their fraudulent activities.

All matching is case-insensitive, and, using this process of pattern matching, fraudsters using OddJob are able to cherry pick the sessions and targets they swindle to their best advantage.

The final noteworthy aspect of OddJob is that the malware's configuration is not saved to disk - a process that could trigger a security analysis application – instead; a fresh copy of the configuration is fetched from the C&C server each time a new browser session is opened.

The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing.

It's important to note that OddJob is just one of several pro-active malware applications that our research team sees on a regular basis, but its coding methodology indicates a lot of thought on the part of the coders behind the fraudware.

Careful analysis and research is needed to reverse engineer and dissect fraudulent applications like OddJob, but our message to banks and their online banking users is unchanged. They need to maintain constant vigilance, apply software updates, maintain an awareness of new threats and deploy complementary security solutions that can defend against evolving attack methods.

For more information see http://www.trusteer.com/blog

Source: Eskenzi PR Ltd.

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

US worries over Internet `kill switch' highlights need for contingency planning say Infosecurity Europe organisers

London, UK, February 2011 - As US IT security experts and liberty organisations discuss the ramifications of the recent effective shutdown of the Internet in Egypt - and whether President Obama should have access to an Internet `kill switch' - the organisers of Infosecurity Europe show are saying that the saga highlights the need for IT contingency planning.

According to Claire Sellick, Event Director for Infosecurity Europe, the lessons coming out of the Egypt net shutdown - and the fact that the US government is now talking about having access to a similar `shutdown button' for the US side of the Internet - should act as a red flag to IT managers in organisations of all sizes. 

"What we are seeing here is a rising awareness of the Internet's reliance on key physical elements such as main server centres and major routing stations, and how closing down these elements can effectively paralyse a nation's access to the Internet," she said.

"The headache that this causes on the security front is, what effect would a shutdown on, for example, of one or more of the US Internet main switches, or the Amsterdam Internet Exchange (AMS-IX), have on your organisation, and the answer is that the effects could be very severe," she added.

Sellick went on to say that a number of UK ISPs rely on peering links with US and European exchanges for a lot of their Internet traffic, so if a foreign exchange shutdown were to occur, it could have severe repercussions for some UK hosted Web sites and company intranet/Internet traffic.

The key word here, she explained, is `some' as not all Internet hosting and service providers in the UK are equal in terms of their reliance on foreign exchange resources.

For example, she says, whilst most of the UK's Internet traffic is routed via the London Telehouse switches, a growing minority is also being routed via Manchester's MANAP switch, meaning that a serious issue with one switch would mean users of the other switch could continue business as usual.

It all comes to Internet routing diversity, the Infosecurity Europe event director said, adding that, whilst experts in the US are now realising that there can never be a `kill switch' for the US Internet, they also realise it is still possible to lock down large portions of the North American Internet grid.

"And the effects of this could range from catastrophic to a minor inconvenience, depending on which hosting or internet service provider your UK organisation uses, and whether you have IP route diversity systems in place," she said.

"Of course, gaining access to information on these topics is a not as easy as you might think. Fortunately, help is at hand in the shape of the free educational seminar programs we are planning for the Infosecurity Europe show, which takes place at Earls Court, London 19-21 April 2011 www.infosec.co.uk," she added.

For more on President Obama's Internet kill switch: http://bit.ly/gGePS3

For more on the Infosecurity Europe show: www.infosec.co.uk

Infosecurity Europe, celebrating 16 years at the heart of the industry in 2011, is Europe’s number one Information Security event. Featuring over 300 exhibitors, the most diverse range of new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe. Organised by Reed Exhibitions, the world’s largest tradeshow organiser, Infosecurity Europe is one of four Infosecurity events around the world with events also running in Belgium, Netherlands and Russia. Infosecurity Europe runs from the 19th 21st April 2011, in Earls Court, London. For further information please visit www.infosec.co.uk

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

CREDANT TECHNOLOGIES LAUNCHES BETA PROGRAM FOR CLOUD ENCRYPTION SOFTWARE

CREDANT Removes Major Roadblock to Cloud Adoption through Unique Data Encryption Approach

London, February 2011: CREDANT Technologies, the trusted experts in data protection, today announced immediate availability of the beta program for its cloud encryption software for virtual desktop infrastructure (VDI) private cloud infrastructures. The new CREDANT cloud security platform provides enterprise customers with the ability to more rapidly embrace cloud infrastructure by removing the primary roadblock to adoption – data security. With this launch, CREDANT enables organizations to control and enforce security whether corporate data is located in private, hybrid or public cloud infrastructures. The CREDANT cloud security platform provides the only cloud data security approach to enable granular encryption, access control and key management that allows enterprises, including the cloud provider itself.

Tweet this: #CREDANT launches cloud encryption software beta. Register here to participate: http://bit.ly/e3sTii  (new url is www.credant.com/cloudsecurity)

CREDANT, the comprehensive provider of endpoint, mobile, and cloud data protection, is breaking down the security barriers for clients moving to cloud computing models.  CREDANT’s approach, new to the field of cloud security, is to protect data itself rather than protecting specific volumes, drives, or devices. Its encryption technology is the only automated, centrally managed, policy-based solution on the market, providing real-time protection and peace of mind for enterprise and governmental customers with sensitive data. Competitive solutions are either unworkable in cloud infrastructures or are highly labor intensive and have so far failed to meet the needs of enterprise customers wishing to move to the cloud.

The solution will enable businesses and governmental organizations to deploy private cloud infrastructures as part of their long-term roadmap to full cloud utilization by putting data security in the control of the enterprise—not the cloud administrator.  By enabling the IT security organization to control encryption of critical data on cloud platforms centrally, and in a way that is fully integrated with other data protection and encryption solutions already in place, organizations can safely embrace private, hybrid, and public cloud computing models with the knowledge that their data is safe from co-tenants, hackers, and malicious insiders. The CREDANT cloud security platform:

· Effectively eliminates the risk of an insider (either within the organization or working for an outsourced provider) accessing or stealing sensitive data;

· Provides granular access to decrypted information to the authorized user only while;  administrators (local and third-party) access only the system and not the protected data; and,

· Enables seamless management of data security on physical infrastructure, mobile devices, removable media, private clouds, virtual desktop infrastructures, and hybrid/public cloud models, in a way that is transparent to users.

· Prevents unprotected data leakage to removable media while enabling secure usage and control of removable storage.

“CREDANT’s robust key management technology and data-centric encryption technology allows us to solve one of the core Cloud security problems in a fundamentally different way ,” said Chris Burchett, Chief Technology Officer and co-founder, CREDANT Technologies. “The complexity of managing cloud infrastructures requires a new model for data security, and our new offering defines the path for organizations to more rapidly and securely adopt cloud models by removing the risks of data theft and insider attack wherever the data resides.  This isn’t just about security – it’s about accelerating the transformation to the cloud for our customers.”

The CREDANT is the first of a series of releases targeting data security in the cloud. It provides simple, centrally managed security for data in private cloud infrastructures utilizing VDI. This new solution offers a far more secure and business-aligned approach to protect data, and is built upon CREDANT’s extensive expertise as the world’s largest endpoint data security specialist. The beta program is now available; organizations can register to participate by visiting www.credant.com/cloudsecurity.

CREDANT Technologies is the trusted expert in data protection. CREDANT's data security solutions mitigate risk, preserve customer brand, and reduce the cost of compliance, enabling business to "protect what matters." CREDANT has been recognized by Inc. magazine as the #1 fastest growing security software company in 2008 and 2007; was selected by Red Herring as one of the top 100 privately held companies and top 100 Innovators; and was named Ernst & Young Entrepreneur of the Year® 2005. Austin Ventures, Menlo Ventures, Crescendo Ventures, Intel Capital (NASDAQ:INTC), and Cisco Systems (NASDAQ:CSCO) are investors in CREDANT Technologies. For more information, visit www.credant.com.

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Beware the Enemy Within

The recent dismissing of staff members engaged in data breaches at Vodafone once again highlights the absolute necessity for companies to ensure that data is properly secured says Colin Tankard, Managing Director, Digital Pathways.

“In this instance the data breach was from within the organisation itself, says Tankard. “So often we tend to think of the external bad boys – the teenager in his darkened room! Not the disgruntled employee, the contractor or competitor trying to outbid you to a contract.

“What companies must do is control who has access to data and by what route it is accessed. The important thing is to link only the valid user using the valid application to the data and controlling what they can do with the data i.e. copy, email or delete it etc.

“The struggle many companies have is to apply this to their applications which can be complex and often requires a re-design of the application itself. This is not the case with today’s security technology as we are able to encrypt any form of data, link that encryption to the application and the user, transparently to the application – hence requiring no modifications to the programme or to the users working practice.

“This ensures the data is protected wherever it resides, even when it is backed up or moved off site to a data centre or cloud. Then it is only available to authorised entities who themselves can only use the information in an approved way.

“Data breaches are no longer simply seen as being an irritating misdemeanor but are highly damaging to reputation and costly due to legislation and fines. Flexible and robust data security is no longer restricted to financial data but now covers all personal/private information that is held by every business.

“ In my opinion where we are today is in a situation where many organisations have addressed their security issues individually as the need arises and not holistically as a whole. What is vital is that security solutions are not piecemeal but properly instigated strategies that are able to grow with the ever-changing technology landscape and requirements of organisations.

‘If your companies data security is less than it should be I would recommend you take stock now.”

Source: Joy Moon PR Consultant

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Infosecurity Europe welcomes plans for rapid takedown of infected Web sites

London, UK 11th February 2011 - The organisers of Infosecurity Europe have welcomed news that the UK’s Internet registry is considering plans to rapidly take down those Web sites and Internet domains that it considers infected or have clear criminal/hacking intent.  Infosecurity Europe will be held at Earls Court, London 19-21 April 2011 www.infosec.co.uk

Claire Sellick, Event Director with the increasingly popular information security show, which takes place in London each spring, said that infected Web sites are now a serious threat to Internet users, whether they are employees working for a major corporation or SoHo workers, working on a single PC from a home office.

"The problem to date has been the electronic paper chase required for interested parties to complain - through various channels - that a site is causing infections or malware-laded links to visitors, and then for the hosting provider - often acting on their own principles - taking down the site, usually after several weeks of investigation," she said.

"If, as seems likely, Nominet adopts the plan, then a decision will be taken to take a site offline in very short order, where the intent is clearly criminal or the site appears to act as a conduit for malware," she added.

According to the Infosecurity Europe Event Director, Nominet's plans - which are quite revolutionary given the egalitarian nature of the Internet - have been proposed after discussions with the Serious Organised Crime Agency.

Despite the suggestion coming from the police agency, Sellick said that the fact that Nominet is now asking its membership and the Internet industry in general, is a very positive move.

It reflects, she said, the growing importance that the Internet has in modern business life, and the fact that it has almost become an essential utility in the same way that energy and water suppliers are central to modern life.

If the plans are adopted, she says, then the move will make the Internet a safer place to do business, although it is important to realise that the global nature of the Web means that until other national registries adopt similar measures, there will still be the issue of infected sites to content with.

The good news that will result from the adoption of the proposals, adds Sellick, is that it will effectively devalue a UK-registered Web site in the eyes of cybercriminals, who will be less inclined to hack into the pages and load their own rogue data, knowing full well the site will be offline in a short space of time.

"Crime has a habit of seeking the path of least resistance and cybercrime is no exception. Reducing the risk of a UK business Web site from being misused is always going to be welcome, even against the backdrop of the Wild West that the Internet has become in some areas," she said.

"For this reason, we welcome the Nominet proposals, as they will help to make the Internet a safer place. There will still be cybercriminals on the Net, of course, but businesses can come to Infosecurity Europe in April to learn how to better defend their digital assets in the fast-changing world of IP communications," she added.

Infosecurity Europe takes place at London Olympia, between the 19th and the 21st of April, 2011.

For more on the Nominet proposals: www.nominet.org.uk/news/latest/?contentId=8215

For more on the Infosecurity Europe show: www.infosec.co.uk

Infosecurity Europe, celebrating 16 years at the heart of the industry in 2011, is Europe’s number one Information Security event. Featuring over 300 exhibitors, the most diverse range of new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe. Organised by Reed Exhibitions, the world’s largest tradeshow organiser, Infosecurity Europe is one of four Infosecurity events around the world with events also running in Belgium, Netherlands and Russia. Infosecurity Europe runs from the 19th 21st April 2011, in Earls Court, London. For further information please visit www.infosec.co.uk

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

ISACA’s EuroCACS Examines Data Protection, Cloud Computing and Social Networking

ISACA’s EuroCACS Examines Data Protection, Cloud Computing and Social Networking

20-23 March 2011, Manchester, UK

Rolling Meadows, IL, USA (10th February 2011)—David Smith, the deputy commissioner and director of data protection for the United Kingdom Information Commissioner’s Office will discuss the challenges posted by personal privacy expectations from customers and regulators—and how IT professionals can strengthen public confidence in data protection—in his keynote presentation at ISACA’s European Computer Audit, Control and Security Conference (EuroCACS). This year, the event will be held 20-23 March in Manchester—one of the top 20 places to visit according to the New York Times’ “41 Places to Go in 2011.”

EuroCACS is an annual event drawing hundreds of global leaders in IT security, assurance and governance. Hosted by ISACA, a nonprofit association serving 95,000 IT professionals, the conference will feature 44 sessions divided into 12 streams:

· Client Computing

· Cloud Computing and Virtualization

· Computer Forensics

· Governance, Risk and Compliance

· Information Architecture

· Managing IT Investment

· Outsourcing

· Privacy, Information Protection and Loss Prevention

· Regulations and Compliance

· Risk Management

· Social Computing, Social Networks and Human Factors

· Sustainability

“EuroCACS is a great place for delegates to get the latest guidance on the issues that keep them awake at night.  Attendees will learn valuable tips and solutions to add value to their enterprises,” said Peter Thompson, President, ISACA Northern England Chapter.

Summary of Select Streams:

Cloud Computing and Virtualization

Cloud computing is something of a buzz term in the IT and business communities. Many maintain that it is the long-sought-after solution to cost and security concerns within an organization; others are resolutely unconvinced. Economic pressures have forced organizations to re-evaluate their IT solutions with specific regard to availability, scalability, efficiency and cost, so it is particularly important to assess the potential business benefits, risks and assurance considerations. Sessions in this stream will address the legal, security and governance issues surrounding the cloud.

Privacy, Information Protection and Loss Prevention

Contemporary data security is perhaps the most pressing of all challenges facing IT professionals today—a fact that has resulted in unanimous agreement that a new type of security culture must be created. But what alterations must be made to reflect the current information security zeitgeist? Examining the latest security trends is the logical starting point, paying close attention to, for example, hacker tools, exploits, legislation, cybercrime news, and what private data encompasses and where it resides, all of which are conducive to achieving the IT culture required for the 21st century. By adopting frameworks such as ISACA’s Business Model for Information Security (BMIS), organizations can implement a new level of security requirements; one such example is the UK Government, which adopted the concepts of BMIS and will be featured in a EuroCACS session. Sessions in this stream will feature security case studies, the latest threats and trends, guidance to prevent data leakage and more.

Regulations and Compliance

Evaluating compliance is a difficult job, and this stream reveals the most effective ways of completing it. Sessions include Emerging Standards in Software Security Assurance; Essentials of XBRL: The Emerging Financial Reporting Standard; PCI DSS 2.0: What the Standard Means for Companies; PCI DSS 2.0 Compliance: A Practical Approach; and Automating Security Configuration: Applying the US DoD Standard.

Social Computing, Social Networks and Human Factors

With the advent of social-networking and increased consumerisation, the workplace has now become an extension of an employee’s private life—albeit a slightly restrictive one. Social networking web sites have created many marketing and communication opportunities; however, there are also significant risks involved. This stream will delineate the pros and cons of social computing and social networks, and attempt to direct its attendees toward achieving an appropriate level of control within the business environment.  Sessions will discuss the risks and benefits of social media, how to create an effective policy, and how to control the uncontrollable.

Six optional pre- and post-conference workshops are also available. For additional information, visit www.isaca.org/eurocacs.

With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter at http://twitter.com/ISACANews.

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Imperva warns on the real insider security threat

10th February 2011 - The recently published 2011 CyberSecurity Watch Survey claims to show that 21 per cent of attacks on organisations are caused by insiders.

And, says Amichai Shulman, chief technology officer with data security specialist Imperva, the report also points out that the percentage of those viewing the insider attacks as more costly is up this year (33 per cent) on the 25 per cent reported last year.

"The report is also very interesting as it defines an insider as being an employee or contractor with authorised access, as well as noting that these types of attacks are becoming more sophisticated, where the user employs different Rootkits and hacking tools" he added. This is a significant shift, as so far insider attacks used to rely on very simple techniques and tools (available with any work station).

The Imperva CTO went on to say that there is a greater problem here that flies in under the radar, and does not seem to be included in the statistics.

This, he explained, centres on the threat of the individual who has no deliberate intention to cause the company any damage. Rather, the insider threat is mostly caused by an employee that collects information rightfully over time and the information is not removed when the employee leaves the company.

The danger here, says Shulman, is when the employee re-uses that data at their next place of employment, or, as sometimes happens, the data `leaks' from the employee's own computer.

Imperva's own street survey of over 1,000 UK employees found that 85 per cent of employees carry corporate data in their home computers or mobile devices, he said.

And, he added, 79 per cent of those surveyed revealed that their organisation does not have - or the employee is unaware of - any policy to remove company data from their laptop or other portable device when they leave the company.

Against this backdrop, Shulman recommends that, whilst companies scurry around to defend their digital assets against the apparent insider threat, they need to also need to defend against those members of staff who plan to take data with them when they move on to another organisation.

"Approaching a review of a company's security policies and controls from this angle means that the process is not as futile as some professionals think it is, but rather assesses and prioritises the largest risks in a logical manner," he added.

For more on the CyberSecurity Watch Survey: http://bit.ly/hMnzR2

For more on Imperva: www.imperva.com

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Tufin unveils new functionality & updated PCI DSS 2.0 compliance reporting

TUFIN TECHNOLOGIES UNVEILS enhanced firewall operations management functionality and UPDATEd pci dss 2.0 compliance reporting

New Permissive Firewall Policy Optimization Features Enable Security Teams to Instantly Identify and Remediate Potential Policy Risks

London Feb. 9, 2011–Tufin Technologies, the leading provider of Security Lifecycle Management solutions, today unveiled version 5.3 of its award-winning Tufin Security Suite (TSS), which features enhancements that further accelerate Tufin’s market lead and significantly raises the bar for what any organization should expect from firewall operations, compliance and change automation solutions. Tufin will demonstrate its new release next week at the RSA Conference 2011 in San Francisco, in its Booth No. 2551.

The Tufin Security Suite is made up of two core products: SecureTrack, Tufin’s firewall operations, compliance and auditing product; and SecureChange Workflow, Tufin’s security change automation solution.  Enhancements to SecureTrack include:

  • Enhanced Automatic Policy Generator (APG). SecureTrack’s Automatic Policy Generator enables administrators to instantly create a firewall rule base through analysis of firewall traffic logs.  TSS 5.3 includes an enhanced, interactive interface as well as new features that enable security teams to rapidly diagnose and remediate excessively permissive security policy rules, including:

    • Permissiveness Score: APG now reviews security policies for firewalls, routers or other network devices and assigns a permissiveness score to every rule. With the permissiveness score, security teams can instantly identify and address potential risks.
    • Permissive Rule Optimization: APG provides specific recommendations on how to optimize overly permissive rules. Since there is a tradeoff between the degree of permissiveness and the number of rules generated, security managers can adjust the optimization level before and after the analysis.

  • Zone Manager. SecureTrack’s new Zone Manager provides a central interface for defining and managing network zones. All SecureTrack features access the zone manager, making it faster and easier than ever before to define reports and queries in SecureTrack.  It is also possible to export zone definitions for use in other management systems.

  • PCI DSS Support for Industry Standard--Version 2.0. SecureTrack’s Payment Card Industry Data Security Standards (PCI DSS) Audit Report now supports the latest version of the industry standard, version 2.0. The automated report helps organizations address the requirements relating to firewall auditing, network security, data safety, access control, and accountability.

In addition to the latest advances in SecureTrack, Tufin’s SecureChange Workflow change automation tool is also updated to include an out-of-the-box API for integration with the popular BMC Remedy Change Management system. The enhanced API enables SecureChange Workflow to automatically update the enterprise change management system in order to comply with organizational change policies.

“As the leader in Security Lifecycle Management, Tufin has a broad customer base which works closely with us to identify product updates to keep up with their changing, complex firewall management and compliance needs,” said Ruvi Kitov, CEO and Co-Founder, Tufin Technologies. “With this new release, SecureTrack addresses the latest in firewall compliance and automation requirements as demanded by enterprises. Coupled with our recent announcement of next-generation firewall support, SecureTrack is today’s most comprehensive solution for firewall management.”

Availability and Pricing

The latest version of SecureTrack and SecureChange Workflow is available immediately.  Pricing starts at $20,000.

™ is the leading provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. Tufin’s award-winning products SecureTrack™ and SecureChange™ Workflow help security operations teams to manage change and perform reliable audits while dramatically reducing manual, repetitive tasks through automation. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 700 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. Tufin partners with leading vendors including Check Point, Cisco, Juniper Networks, Palo Alto Networks, Fortinet, F5, Blue Coat, McAfee and BMC Software, and is committed to setting the gold standard for technological innovation and dedicated customer service.

For more information visit www.tufin.com, or follow Tufin on:

·         Twitter at http://twitter.com/TufinTech

·         Facebook at http://www.facebook.com/Tufintech

·         LinkedIn at http://www.linkedin.com/companies/tufin-technologies

·         The Tufin Channel on YouTube at http://www.youtube.com/user/Tufintech

·         The Tufin Blog at http://www.tufin.com/blog

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Trusteer Secure Web Access prevents attacks that exploit smart phones

Trusteer Secure Web Access Protects Enterprises from Smart Phone and Tablet-Based Attacks

Performs Security Assessment of Mobile Devices and Controls Access to Web Applications to Prevent Data Theft and Security Breaches

NEW YORK, Feb. 9, 2011 – Trusteer, the leading provider of secure web access services, today announced Trusteer Secure Web Access which enables organizations to protect their web applications, network and data from attacks that exploit insecure mobile devices. Trusteer Secure Web Access detects smart phones and tablets infected with, or at risk of infection from malware and prevents them from connecting to protected web resources. In addition, it provides real-time alerts to enterprises on the security status of each device that attempts to connect to resources and applications.

According to the RSA 2011 Cybercrime Trends Report, the number one trend this year will be mobile malware and the exploitation of mobile phones to commit fraud. The explosive growth of mobile devices as a general purpose computer “on the go” has made them an attractive target for cybercriminals to exploit. However it is not just consumers and their banks that must consider the risks of mobile malware. The consumerization of IT has laid the bridge for the crossover of consumer technology into the enterprise. Organizations are providing their employees with mobile devices, or employees are using their own personal devices to conduct work-related activities – potentially opening up a backdoor for malware to make its way onto the corporate network.[1]

Transparent Security for all Mobile Platforms

Tablets and mobile devices, most of which are not managed by corporate IT departments, are easily infected with malware and may be vulnerable to attack. Allowing these mobile endpoints to connect to enterprise resources via the web can expose sensitive corporate information to criminals and lead to network security breaches. Trusteer Secure Web Access ensures tablets and mobile devices requesting a connection to secure web applications are free from malware and security vulnerabilities. It supports all leading tablets and mobile devices including iPad, iPhone, Android, BlackBerry and more.

To enforce enterprise policies on mobile devices, Trusteer Secure Web Access assesses the security posture of each device requesting access to secure resources before it can connect to applications or the network. Trusteer evaluates whether the service is installed on the device, if any malware is present, and whether it has any unpatched vulnerabilities. Only devices that meet security policy requirements are allowed to connect to enterprise resources. In addition, the status of each device is logged and transmitted in real-time to the enterprise IT department. Trusteer Secure Web Access also allows organizations to define and apply access control policies based on the security status of the device, such as blocking access to all or only select resources.

“IT departments are under pressure from the executive suite all the way to the departmental level to allow employees to use tablets and mobile devices to connect to secure web resources,” said Mickey Boodaei, CEO of Trusteer. “The Trusteer Secure Web Access Service is an elegant, quick and easy to deploy solution for enterprises that want to minimize the threat associated with mobile device connectivity to business applications.”

“Many CISOs face a huge challenge when it comes to managing smartphones, and realize that they need to quickly and securely embrace this ever more popular endpoint or they could see their data and systems trashed by malware ridden devices,” said Nigel Stanley, Practice Leader- security, Bloor Research. “Secure access services are one way in which users can be encouraged to use their own smartphones while protecting the company network and hopefully make this one less thing a CISO need worry about”.

Availability and Pricing

Trusteer Secure Web Access is available immediately from Trusteer and its business partners worldwide. Pricing starts at $35 / £25 per device per year.

About Trusteer

Trusteer is the world’s leading provider of Secure Web Access services. The company offers a range of services that detect, block and remove attacks launched directly against endpoints such as Man in the Browser, Man in the Middle and Phishing. Trusteer services are being used by leading financial organizations and enterprises in North America and Europe, and by tens of millions of their employees and customers to secure web access from mobile devices, tablets and computers to sensitive applications such as webmail, online payment, and online banking. HSBC, Santander, The Royal Bank of Scotland, SunTrust, Fifth Third, ING DIRECT, and BMO Financial Group are just a few of the companies using Trusteer’s technology. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer. For more information about our services, please visit www.trusteer.com.

Source: Eskenzi PR

[1] RSA 2011 Cybercrime Trends Report: http://blogs.rsa.com/sos/cybercrime-trends-for-2011-podcast-210/

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Venafi launches 1st universal automated management of all key certificates & keys

Venafi Announces Director 6, First Platform to Automate Management of Widest Range of Encryption Key and Certificate Technologies Across the Enterprise

Venafi Encryption Director 6 Platform Allows Global 2000 Enterprises to Eliminate Unquantified and Unmanaged Risk, Improves Security and Compliance, and Increases System Availability

LondonFebruary 9, 2011 Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, today unveiled Venafi Encryption Director 6™ (Director 6). Director 6 provides out-of-the box automated management capabilities for the widest range of digital certificate and encryption key technologies used by today’s enterprises, including symmetric keys, SSH keys, asymmetric keys and digital certificates. Recognized by Gartner as a “Cool Vendor,”  Venafi provides the only platform that allows organizations to automate discovery, monitoring, validation, management and security of the most commonly used encryption assets. Designed specifically for the enterprise, Director 6 provides interoperability across heterogeneous environments, rapid scalability, and orchestration capabilities that improve security and compliance and increase critical system uptime. In addition to the already-available Certificate Manager™ product, the SSH Key Manager™ and Symmetric Key Manager™ products are being added to the Director 6 platform as separate offerings.

With over eight years experience delivering best-of-breed encryption management solutions to the world’s largest organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare, retail and other industries, Venafi delivers a true enterprise platform with management functionality that spans organizations’ diverse infrastructures, independent of the managed encryption asset or the complexity and size of the environment. Director 6 is a third-generation architecture that enables easy-to-deploy interoperability, scalability and orchestration across multiple encryption types, operating environments, certificate authorities (CAs), HSMs, applications, directories and other enterprise systems.

“Security, privacy and compliance are driving organizations to deploy encryption technologies at an almost hyper-aggressive pace. Unfortunately, encryption assets can turn into liabilities if managed improperly. One expired certificate can shut down critical systems, and one compromised key can open the gates to sensitive information and compliance violations,” said Richard Stiennon, noted author, speaker and principal analyst at IT Harvest. “Security and compliance initiatives are only going to be as effective as the people managing them, and those managers need to be equipped with powerful tools that allow them to do their jobs. Organizations that rely on encryption keys and digital certificates need to deploy solutions that will allow them to retain control over the thousands of keys and certificates deployed.”

“Venafi is recognized by our customers as the only security vendor that can fully automate EKCM processes and scale to their requirements,” said Jeff Hudson, CEO of Venafi. “Our innovative technology platform gives organizations the ability to solve the rapidly expanding encryption key and certificate security management problem, which has been highlighted by recent sophisticated attacks and breaches like the WikiLeaks and Stuxnet incidents. In addition, we enable our customers to achieve compliance with new regulations and standards. Recent studies show that key and certificate inventories are growing every year by more than 70 percent, and that 85 percent of those organizations surveyed admit to inadequate management of these critical security assets. Director 6 provides advanced management, access control and automation capabilities that significantly reduce the unquantified and unmanaged risk.”

Venafi Encryption Director 6 includes the following:

· SSH Key Manager™

· Certificate Manager™

· Symmetric Key Manager™

· Agent-based Onboard Discovery and Monitoring

· Advanced Management Partitioning across Firewall Boundaries

· Enhanced Operational Network Validation and Alerting

· Expanded Analysis and Reporting of Consolidated Key and Certificate Management Logs

· Actionable Key and Certificate Management Dashboard

Customers to speak at RSA Conference

During RSA Conference 2011, Monday, Feb. 14 through Thursday, Feb. 18, Venafi will be providing on-demand demonstrations of Director 6 in its booth (# 1843) during exhibition hours. Register to attend the RSA Conference case-study session where two Venafi customers—a Fortune 250 financial services payment-processing company and a Fortune 100 high-tech products and services company—will share their experiences in managing encryption keys and certificates across their large enterprise environments. For a free exhibition floor pass, visit the RSA Conference 2011 website and use code EC11VNF.

Product Availability

Venafi Encryption Director 6, with available products Symmetric Key Manager™, Certificate Manager™ and SSH Key Manager™, will ship in the second quarter of 2011. For more information on Director 6 visit www.venafi.com/Director6.

Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi delivered the first enterprise-class platform to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys—from the desktop to the datacenter—built specifically for encryption management interoperability across heterogeneous environments. Venafi products reduce the unquantified and unmanaged risks associated with encryption deployments that result in data breaches, security audit failures and unplanned system outages. Venafi customers include the world's most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Safer Internet Day - The role of Security within Social Networks

Amichai Shulman – CTO and co-founder of Imperva

Last week researchers unveiled a “dating database” consisting of 250,000 users. This was not just any ordinary dating site where one registers to and agrees to post their information. Rather, the dating profiles were based on public information that the researchers gathered from Facebook profiles. Many people at this point cried out “Privacy!”. However, let us take a step back and remind ourselves that it is these users who were not concerned to publically publish their data in the first place! By consenting to Facebook’s term of services, they are actually agreeing to relinquish their information to a public website. With this in mind, it may be safe to say that if a user indicates their religion, or ethnicity, on Facebook they do so because they want other users to know this information and are willing—even implicitly—to take the chance that a (hypothetical) racial classification application will have access to it as well. It may also be safe to say that people who post a named defamation of their boss on their wall—or their friend’s wall —are willing to take the chance that their boss may see the post. That is the essence, or rather lack thereof, of privacy.

In terms of social networks, it is security which we need to be wary of. Security controls the way in which people use the information of others. It is a way to ensure that people cannot invoke functionality on behalf of other users, and that delinquents cannot use the system to distribute malware. It is a way to make it difficult to hack into someone’s account using a brute-force attack. Security enables us to integrate social networking applications into our business environment without affecting the integrity and confidentiality of business data.

In today’s social networking platform, security is the threat. Web 2.0 vulnerabilities are quickly translating into massive worm out breaks. One such example is the notorious Koobface worm which is still propagating even though researchers have been attempting to contain it for the last few years. Even basic best practices, such as the use of SSL for authentication purposes, are not closely followed.

Nevertheless, we are starting to feel the winds of change. Recently, Facebook made changes to account SECURITY to reduce account hijacking incidents. Just a few weeks ago a new authorization scheme was put in place that requires one to identify their friends in case of an alleged account take-over. As social networks attempt to increase their user base, penetrate the business environment, and roll out new services (such as Facebook’s new webmail) we should expect social platforms to invest more resources in improving the SECURITY posture of the platform. These measures will provide improved protection against application layer attacks, stronger authentication and account control features, and better malware detection systems.

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

`What are the banks not telling us about card fraud?’ asks Lieberman Software

[Or isn't it strange the number of major bank hacking cases where the defendant(s) plead guilty...]

Reports that a Russian hacker has pleaded guilty of ripping off WorldPay, the online transaction processor, to the tune of $10 million, have met with a grim smile by Lieberman Software, the identity management specialist.

According to Phil Lieberman, the firm's president, the methodology used by the 27-year-old hacker is a potential worst-case scenario that he and his team warn potential and existing clients about.

"Not only did this guy manage to hack into WorldPay's systems back in 2008, but he then altered the parameters of the merchant accounts and boosted their online daily limits. From there he withdrew large amounts of cash from ATMs as he travelled the world," he said.

"The case is a fascinating one as, by pleading guilty, it's unlikely we'll ever find out how this team of hackers managed to stiff the former RBS card processing division for an incredibly large sum of money," he added.

When you think about it, the only way that Yevgeny Anikin could have increased the withdrawal limits on the merchant accounts was by gaining access to an internal management account with the card processor, he went on to say.

The whole affair smacks of a lack of security on privileged accounts, which is an area of security in which we specialise, he explained.

As with all major card frauds of this type, however, this case involves the hacker ringleader pleading guilty, thereby preventing the actual processes used by the fraudsters(s) being revealed in an open court.

"We've been through our fraud records and are finding it difficult to come up with a major card fraud case involving hacking where the fraudster(s) have pleaded not guilty, and the case has gone to court," he said, adding that time after time, the fraudsters mysteriously plead guilty, are sentenced and the financial institution gets away without revealing the chinks in their electronic armour.

What are the possibilities of that happening? he asked.

"Quite low, actually, especially when you realise that this case was heard in a Siberian court, in a country where all sorts of unusual results come out of the courts, such as political rivals of President Putin mysteriously being incarcerated for years on end," he said.

"The bottom line is that you don't have to be conspiracy theorist to piece together what is happening: the card processing system is far from being infallible, and the banks are going to great lengths to avoid exposing how insecure their systems really are in an open court," he added.

"Of course, if I'm wrong, I'll be perfectly happy to discuss this issue with WorldPay or any other financial institution whose systems have been hacked and defrauded - and where the criminals have pleaded not guilty."

For more on the Russian $10 million card fraud case: http://bit.ly/h6K5xl

For more on Lieberman Software: www.liebsoft.com

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

DES Offers Free Encryption

DES raises the bar for cost effective data security with new features and licensing modelDES

Taunton, UK, February 2011 – Data Encryption Systems Limited (DES), the UK-based leader in software copyright protection, data encryption, secure messaging and data storage solutions and winner of Computing Security's Encryption Product of the Year 2010, has today announced that it is offering its market leading encryption solution, DESlock+ Personal Edition, to home users for free. The company has also introduced 2 new features for the DESlock+ Standard Edition, including removable media encryption and portable encryption, as well as moving to a per user licensing structure, giving more flexibility to mobile workers.

Paul Jackson, Head of Business Development at Sigma Software Distribution, one of the UK’s main distributors of DESlock+, comments: "Companies need to account for every penny and by adding extra features to the standard product and reorganising its licence structure, DES has really taken this on board. DESlock+ would be a great choice for a company with mixed requirements as it caters for mobile workers while still offering a cost-effective solution for desktop workers. It's great to see a company that thinks about its customers requirements and aligns its offering to suit these needs."

DESlock+ has previously been licenced on a per system basis, meaning the licence was registered to an individual system. This has now changed and licences will now be registered to the actual user. As a result, anyone with a licence for the DESlock+ PRO or DESlock+ Standard Edition will be able to put a copy of the software on their own home PCs for business use, giving them DESlock+ security at home as well as in the office, at no extra cost.

David Tomlinson, Managing Director for DES, comments: “We always try to think about how people actually work when we design our products and today it’s clear that people are no longer confined to the office. With laptops, hot-desking, portable media and USBs, the mobile working revolution is here and here to stay. We have therefore adapted our offering to align with evolving business needs.”

The DESlock+ Personal Edition is the only free FIPS 140-2 approved encryption product available on the market. It helps to protect organisations from data breaches by offering extremely powerful encryption for emails, files and folders, virtual discs and archives. The product includes a Desktop Shredder for the safe destruction of sensitive information and works using DESlock+’s unique key sharing technology, which allows the safe transfer and sharing of information.

The DESlock+ Standard Edition is aimed at business desktop computers and includes all the features listed above for the Personal Edition, along with Policy-driven Removable Media Encryption. This allows administrators to ensure that any data written to a USB disk or Flash drive is encrypted. DESlock+ Go, a portable encryption system which allows protected USB sticks to be used on unprotected systems where required, has also been introduced into the Standard version. These new features give desktop users more freedom to move information outside of the office.

The DESlock+ PRO Edition is aimed at protecting laptops and desktops in less secure locations. DESlock+ Pro includes the features of the Standard Edition as well as Full disk Encryption (FDE), providing total cover against unexpected events and compliance with various directives and regulations.

Tomlinson continues: “By offering customers removable media encryption and portable encryption with the standard licence, and combining this with a per user licence structure, workers can take encrypted work home with them and work on their own PC. We also offer full disk encryption as part of our PRO licence and are actually giving away free personal licences, so there really is something for everyone. We will also be making some more product announcements in the next few weeks as we launch our Enterprise Server to help with improved management, so watch this space.”

DES’s Enterprise Server is due for the release towards the end of February. The Enterprise Server will allow remote control administrators to manage users encryption keys through the internet through its centralised management software. This is yet another step undertaken by DES to ensure that home and mobile working remains secure and does not present a gap in compliance.

For those customers interested in purchasing a DESlock+ licence, or downloading a free version of its Personal Edition, please visit the website: www.des.co.uk. The website also provides customers with an overview of specific industries and directives with its series of compliance guides, to help organisations to better understand their security requirements.

Since 1985, Data Encryption Systems has been the UK’s most successful manufacturer of software protection dongles, software copyright protection systems, secure handset reprogramming accessories. Data Encryption Systems markets and supports products used by tens of thousands of businesses worldwide to protect applications, copyrighted materials, medical records, government files and other confidential and personal information. The company’s flagship product, DESlock+, has been awarded SC Magazine’s Best Buy for three successive years and was also the winner of Computing Security's Encryption Product of the Year 2010.

Source: C8 Consulting Ltd

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Tufin introduces next generation firewall management solution

TUFIN TECHNOLOGIES INTRODUCES the industry’s first COMPREHENSIVE Firewall MANAGEMENT AND AUDITING solution FOR NEXT-GENERATION FIREWALLS

Tufin Extends the Scope of its Firewall Operations Management Solution Tufin Security Suite 5.3 to Support Palo Alto Networks Market-Leading Next-Generation Firewalls

RAMAT GAN, Israel & London Feb. 2011–Tufin Technologies, the leading provider of Security Lifecycle Management solutions, today announced it is the first firewall management company to offer comprehensive support for next-generation firewalls from market leaders such as Palo Alto Networks.

The latest update of SecureTrack – Tufin’s firewall operations, auditing and compliance product – introduces the industry’s first solution that provides network security teams with seamless, comprehensive management and auditing capabilities for both next-generation and network-layer firewalls. Palo Alto Networks customers can now benefit from improved management, policy analysis and reporting found in the Tufin solution.

Announced today, Tufin’s support of Palo Alto Networks firewalls will be jointly demonstrated next week at the RSA Conference 2011 in San Francisco – in Tufin’s Booth No. 2551, and in Palo Alto Networks’ Booth No. 2145.

“Tufin SecureTrack has enabled us to streamline our existing firewall rule sets, and has helped us enhance our compliance program with comprehensive reporting of changes,” said Craig Hanrahan, Sonus Networks senior manager of IT infrastructure.  “With Palo Alto Networks, having one device do as much as it does keeps us from the complexity of multiple devices, and its AppID keeps us from having to create a bunch of application rules or worrying about every port.  Tufin’s new support of Palo Alto Networks is helpful because it supports all the log types of Palo Alto Networks.  The visibility we gain with Tufin into the effects of rules changes and managing these changes within Palo Alto Networks will help us down the road, as well.”

Palo Alto Networks' next-generation firewalls are unique in the industry in their ability to see and control applications, users and content – not just ports, IP addresses and packets. Palo Alto Networks' next-generation firewalls enable enterprises to create granular, business-relevant security policies and safely control applications instead of the block-or-nothing approach offered by traditional port-blocking firewalls.

The new Tufin SecureTrack makes it easier to manage next-generation firewalls and meet auditing and compliance requirements. In a wide variety of views, policy analysis queries, and compliance audit reports, SecureTrack uniquely enables security teams to identify firewall policy rules according to advanced, application-layer identification technology.

“Tufin SecureTrack is a highly complementary management layer to our core value proposition, which is to help organizations gain visibility and control of applications, users, and content within their networks,” said Punit Minocha, Palo Alto Networks VP of Business and Corporate Development. “Our mutual customers can gain more robust operations management, auditing and compliance for their network infrastructure.”

SecureTrack’s comprehensive support for Palo Alto Networks also includes:

· Support for both physical and virtual systems, including shared objects between virtual systems.

· Support for Palo Alto Networks Panorama central management system’s global rules and objects that are shared among multiple physical or virtual firewalls.

· Real-time change tracking of Palo Alto Networks’ content updates.

“Palo Alto Networks has realized significant growth and has been a shining star in the network security industry over the years,” said Shaul Efraim, Tufin VP of Products, Marketing and Business Development. “We saw strong demand from customers and channel partners for support for Palo Alto Networks in our Tufin Security Suite. We are committed to supporting customers and channel partners, and quickly responded to this need to enhance our award-winning Security Lifecycle Management Security Suite.”

Availability and Pricing

SecureTrack support for next-generation firewalls, including Palo Alto Networks, is available immediately.  Pricing starts at $20,000.

About Tufin Technologies

Tufin™ is the leading provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. Tufin’s award-winning products SecureTrack™ and SecureChange™ Workflow help security operations teams to manage change and perform reliable audits while dramatically reducing manual, repetitive tasks through automation. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 700 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. Tufin partners with leading vendors including Check Point, Cisco, Juniper Networks, Palo Alto Networks, Fortinet, F5, Blue Coat, McAfee and BMC Software, and is committed to setting the gold standard for technological innovation and dedicated customer service.

For more information visit www.tufin.com, or follow Tufin on:

·         Twitter at http://twitter.com/TufinTech

·         Facebook at http://www.facebook.com/Tufintech

·         LinkedIn at http://www.linkedin.com/companies/tufin-technologies

·         The Tufin Channel on YouTube at http://www.youtube.com/user/Tufintech

·         The Tufin Blog at http://www.tufin.com/blog

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Infosecurity Europe 2011 Hall of Fame nominations now open

London UK, February  2011 – The time is ripe to elevate the greatest movers and shakers in the world of information security as nominations for the Infosecurity Europe 2011 ‘Hall of Fame’ open.

For the last 3 years the medal of honour of the information security world has been presented to speakers of high renown with the ‘Hall of Fame’ at Infosecurity Europe. Voted for by fellow industry professionals the recipients of this most prestigious honour stand at the vanguard of the technological age. Possessing a wisdom that can only be gained through experience at the frontiers of the industry, any inductee to the Hall of Fame is guaranteed to impress, as the adorned walls of previous shows testify.

Previous speakers have included some of the world’s leading thinkers in information security. To whet your appetite the winners of 2010 featured Prof Fred Piper, Lord Erroll, Eugene Kaspersky, Charlie McMurdie, Stephen Bonner and Ed Gibson, all of whom delivered thrilling speeches to a captivated audience. To view all previous speakers, along with a short biography, you can visit the Infosecurity website:  www.infosec.co.uk/page.cfm/Link=769/nocache=true

The 2011 Hall of Fame will be conducted in the Keynote theatre where the eventual speakers, whittled down by two stages of nominations, will address other industry professionals in what always proves to be a compelling and exhilarating event.

The conditions that must be met, to ensure that the nominees are cut above the rest, are as follows.

They must:

· Be an internationally recognised and respected Information Security practitioner or advocate

· Have made a clear and long-term contribution to the advancement of Information Security

· Have provided intellectual or practical input that has shifted the advancement of Information Security

· Be an engaging and revolutionary thought leader in Information Security

The Hall of Fame has proven to be the highlight of previous shows and this year is no different. Setting the standard for other industry professionals and defining contemporary issues, the Hall of Fame speakers aim to challenge conventional thought with a mix of pragmatism and provocation. It really is the must see event of the year.

To nominate speakers, voters can go to www.infosec.co.uk/fame and make up to five nominations, accompanied by a short reason for their chosen speaker. 

Infosecurity Europe, celebrating 16 years at the heart of the industry in 2011, is Europe’s number one Information Security event.  Featuring over 300 exhibitors, the most diverse range of new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe.  Organised by Reed Exhibitions, the world’s largest tradeshow organiser, Infosecurity Europe is one of five Infosecurity events around the world with events also running in Belgium, Netherlands and Russia.  Infosecurity Europe runs from the 19th – 21st April 2011, in Earls Court, London.  For further information please visit www.infosec.co.uk

Source: Infosecurity PR/Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.