I'm back from vacation and Thanksgiving - hope you all had a nice break!
Here is the latest SearchSecurity posting:
"The recent Health Net data breach—affecting some 1.5 million users—is a failure of all aspects of IT security, including the ability to set appropriate policy, communicate that policy to employees and deploy the relevant security technology.
Health Net announced last week that unencrypted records, and the portable external hard drive containing those records, were lost. A loss of this magnitude from normal business practice suggests that either sensitive data accumulated over a long period of time and was not systematically erased when no longer needed, or the user worked on extremely large chunks of data without proper security controls. IT should have been aware of both possibilities and acted to protect the business." ...
Tuesday, December 1, 2009
Friday, November 13, 2009
Audit Ready Data Center Webinar with Accelops
AccelOps has a really interesting approach to management of the technical infrastructure for mid-tier organizations. They do a solid innovative job of going a few extra steps to combine, correlate and analyze data - steps that IT does not have to learn to manually perform. The Audit-Ready Data Center is a webinar in conjunction with ISSA where we talk about the needs of meeting requirements for continuous audit that provides a common language for security discussions with other organizations in the company. Hope you can check it out on the 19th.
Tuesday, November 10, 2009
Press Quote: Tufin extends security lifecycle management
Tufin has a nice vision for helping IT manage network access policies - coordinating rules between firewalls, routers, and switches for consistency and security. It is worth checking out, especially if your network has sensitive data (and what network doesn't).
"Firewall Policy Management functions are only part of the solution when controlling access to sensitive zones within the corporate infrastructure." said Eric Ogren, principal analyst of the Ogren Group. "Access policies that are enforced by high speed switches and routers need to cooperate, and be consistent with firewall rules for effective management of a secure network. Tufin’s approach of converging analysis of leading network and security devices can help enterprises control dynamic networks for compliance and security."
"Firewall Policy Management functions are only part of the solution when controlling access to sensitive zones within the corporate infrastructure." said Eric Ogren, principal analyst of the Ogren Group. "Access policies that are enforced by high speed switches and routers need to cooperate, and be consistent with firewall rules for effective management of a secure network. Tufin’s approach of converging analysis of leading network and security devices can help enterprises control dynamic networks for compliance and security."
How to use Internet security threat reports
A bunch of security threat reports have hit the presses lately. Here are a few thoughts of how IT should use these, as posted in SearchSecurity ...
"The Melissa worm, one of the most prolific email viruses in history, earned its notoriety by forwarding itself to the first 50 people found in a victim's Microsoft Outlook address book. Security researchers celebrated its 10th anniversary earlier this year, and in the decade since Melissa, the world has seen a boom in viruses, Trojans, SQL injection, spam, phishing and drive-by downloads." ...
"The Melissa worm, one of the most prolific email viruses in history, earned its notoriety by forwarding itself to the first 50 people found in a victim's Microsoft Outlook address book. Security researchers celebrated its 10th anniversary earlier this year, and in the decade since Melissa, the world has seen a boom in viruses, Trojans, SQL injection, spam, phishing and drive-by downloads." ...
Friday, November 6, 2009
Security benefits of virtual desktop infrastructures
Newly posted to SearchFinancialSecurity:
"An emerging technology is helping to solve security issues within the financial industry: virtual desktop infrastructures. With a virtual desktop infrastructure, an organization actually executes desktop applications on servers in the data center, relying on remote display protocols to give the user a localized look and feel. The security benefits of VDI in the data center are clear: IT controls software configurations, assuring that users execute software with the latest patches and upgrades ..."
"An emerging technology is helping to solve security issues within the financial industry: virtual desktop infrastructures. With a virtual desktop infrastructure, an organization actually executes desktop applications on servers in the data center, relying on remote display protocols to give the user a localized look and feel. The security benefits of VDI in the data center are clear: IT controls software configurations, assuring that users execute software with the latest patches and upgrades ..."
Wednesday, November 4, 2009
Two-factor authentication, constant vigilance foils password theft
The latest on passwords at SearchSecurity"
"The state of the art in static password protection policies has left some specialists questioning the usefulness of current password policies.
It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior..."
"The state of the art in static password protection policies has left some specialists questioning the usefulness of current password policies.
It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior..."
Thursday, October 29, 2009
Chip and PIN adoption serves lesson for U.S. payment industry
Fresh off the SearchSecurity press:
"First Data Corp. and RSA, the security division of EMC Corp., are the latest major companies working together to encrypt credit card data at the point-of-sale device. This early encryption approach, also offered by other vendors, including ProPay Inc. and Merchant Warehouse, can lower the technical costs of Payment Card Industry Data Security Standard (PCI DSS) compliance, as well as the legal risk of disclosure notifications and the risk of mass information loss. It is a proactive approach that retailers should be evaluating" ...
"First Data Corp. and RSA, the security division of EMC Corp., are the latest major companies working together to encrypt credit card data at the point-of-sale device. This early encryption approach, also offered by other vendors, including ProPay Inc. and Merchant Warehouse, can lower the technical costs of Payment Card Industry Data Security Standard (PCI DSS) compliance, as well as the legal risk of disclosure notifications and the risk of mass information loss. It is a proactive approach that retailers should be evaluating" ...
Tuesday, October 27, 2009
Lumension adds AV to endpoint security offering
Lumension continues to put together the critical pieces of an endpoint security solution. In addition to patching vulnerabilities to reduce the risk of an exploit and application whitelisting with device control to reduce the risk of an attack modifying software, Lumension now adds an attack-centric AV layer to eradicate known threats. Defense in depth only really works if each layer adds a unique complementary technology approach. That way, whatever threat one approach might miss, the next approach is likely to catch. The addition of AV to patching and applicatino whitelisting is a good approach that should work well for Lumension's customers.
I supported Lumension's release activity with the following quote:
Eric Ogren, Principal Analyst, Ogren Group
“As the explosion of viruses and data-stealing crimeware continues to wreak havoc on corporate networks, IT administrators need to take an increasingly more proactive and blended approach to endpoint protection. Lumension now offers solution layers that close system vulnerabilities, identify and remove attacks, and protect against malware from Web 2.0 threats. Organizations that adopt such a coordinated defense will be better-suited to protect against threats, keeping their network, endpoints, and business resistant to the daily influx of newborn malware.”
I supported Lumension's release activity with the following quote:
Eric Ogren, Principal Analyst, Ogren Group
“As the explosion of viruses and data-stealing crimeware continues to wreak havoc on corporate networks, IT administrators need to take an increasingly more proactive and blended approach to endpoint protection. Lumension now offers solution layers that close system vulnerabilities, identify and remove attacks, and protect against malware from Web 2.0 threats. Organizations that adopt such a coordinated defense will be better-suited to protect against threats, keeping their network, endpoints, and business resistant to the daily influx of newborn malware.”
Wednesday, October 21, 2009
DLP technology challenges security costs
New to SearchSecurity:
"Vendors have blurred the functional boundaries between data leakage prevention, digital rights management and even endpoint device control, to the extent that IT should reset expectations for DLP deployments. The recent Burton Group report on DLP summarizes the market from a vendor offerings point of view, with heavy emphasis in vendor rankings given to companies with large market shares and marketing budgets. DLP can be a powerful weapon for security teams balancing threat protection with data protection and acceptable use policies, but only in well-defined business scenarios." ...
"Vendors have blurred the functional boundaries between data leakage prevention, digital rights management and even endpoint device control, to the extent that IT should reset expectations for DLP deployments. The recent Burton Group report on DLP summarizes the market from a vendor offerings point of view, with heavy emphasis in vendor rankings given to companies with large market shares and marketing budgets. DLP can be a powerful weapon for security teams balancing threat protection with data protection and acceptable use policies, but only in well-defined business scenarios." ...
Friday, October 16, 2009
Phishing protection begins with training, antiphishing evangelist
Newly posted on SearchSecurity:
Law enforcement has demonstrated that it's serious about cracking down on phishers, spammers and other nefarious cybercriminal activity, but now is the time for security organizations to launch an antiphishing program to protect customers and employees from the upcoming wave of attacks that will most certainly mark the holiday season.
Phishing is a nagging social problem that preys on users' trust of established brands and confidence in the Internet. The classic phishing scam consists of a plausibly written email message containing a link to a phish website that looks like the real thing, but is designed to steal passwords and account numbers when the unsuspecting user authenticates. While law enforcement is part of the solution to breaking up phishing rings, IT needs to continuously focus on social countermeasures to fight the strength of phishing attacks.
Law enforcement has demonstrated that it's serious about cracking down on phishers, spammers and other nefarious cybercriminal activity, but now is the time for security organizations to launch an antiphishing program to protect customers and employees from the upcoming wave of attacks that will most certainly mark the holiday season.
Phishing is a nagging social problem that preys on users' trust of established brands and confidence in the Internet. The classic phishing scam consists of a plausibly written email message containing a link to a phish website that looks like the real thing, but is designed to steal passwords and account numbers when the unsuspecting user authenticates. While law enforcement is part of the solution to breaking up phishing rings, IT needs to continuously focus on social countermeasures to fight the strength of phishing attacks.
Tuesday, October 6, 2009
Mitigating zero-day vulnerabilities in customers' environments
Posted today at SearchSecurityChannel:
"Zero-day exploits -- attacks in the wild that are too new for signature checkers to recognize -- present a serious challenge to security solution providers who are expected to protect client endpoints, hosted websites, application services and Web communications. However, there may be opportunities for service providers to differentiate, or offer revenue generating services, with services that help clients recover from a zero-day infection."
"Zero-day exploits -- attacks in the wild that are too new for signature checkers to recognize -- present a serious challenge to security solution providers who are expected to protect client endpoints, hosted websites, application services and Web communications. However, there may be opportunities for service providers to differentiate, or offer revenue generating services, with services that help clients recover from a zero-day infection."
Monday, October 5, 2009
Feds push cybersecurity jobs, PCI DSS changes ahead
Posted to TechTarget today:
"In a significant sign of the government's commitment to improving its cybersecurity profile, the Department of Homeland Security said it could hire 1000 security professionals over the next three years. This is welcome news for those seeking cybersecurity jobs. A longer-term view of the problem of securing the national technical infrastructure would have DHS allocating more of its $40 billion total budget authority to cybersecurity educational programs. We've heard reports about the problem of filling and retaining professionals in government information security jobs. In addition to existing degree programs at a few universities, perhaps cybersecurity can also be featured in Reserve Officers Training Candidate programs to develop military leadership well-versed in cybersecurity skills. Presently, neither the Army ROTC nor the Air Force ROTC shows cybersecurity as a career choice..."
"In a significant sign of the government's commitment to improving its cybersecurity profile, the Department of Homeland Security said it could hire 1000 security professionals over the next three years. This is welcome news for those seeking cybersecurity jobs. A longer-term view of the problem of securing the national technical infrastructure would have DHS allocating more of its $40 billion total budget authority to cybersecurity educational programs. We've heard reports about the problem of filling and retaining professionals in government information security jobs. In addition to existing degree programs at a few universities, perhaps cybersecurity can also be featured in Reserve Officers Training Candidate programs to develop military leadership well-versed in cybersecurity skills. Presently, neither the Army ROTC nor the Air Force ROTC shows cybersecurity as a career choice..."
Tuesday, September 22, 2009
Nominum Broadens Intelligent DNS Impact with SKYE Cloud Services
Nominum is introducing a DNS SaaS approach called SKYE. This is interesting partly because the DNS lookup seems like a good time to layer on security and acceptable use services, since attacks now originate from the Web. It is a good concept, with a good management team behind it, and I was glad to support their release.
“DNS has evolved from a simple name resolution protocol to a policy-based system that provides essential availability, auditing and security services for the entire ecosystem of web-based applications,” said Eric Ogren, principal analyst at the Ogren Group. “Since the first step of any Internet request is a DNS look-up, the name service is a natural position to deploy technology asserting manageable controls over the complexities and threats of today’s Internet. With web threats dominating the Internet, the time could not be better for Nominum to launch its SKYE service for ISPs and enterprises.”
“DNS has evolved from a simple name resolution protocol to a policy-based system that provides essential availability, auditing and security services for the entire ecosystem of web-based applications,” said Eric Ogren, principal analyst at the Ogren Group. “Since the first step of any Internet request is a DNS look-up, the name service is a natural position to deploy technology asserting manageable controls over the complexities and threats of today’s Internet. With web threats dominating the Internet, the time could not be better for Nominum to launch its SKYE service for ISPs and enterprises.”
Monday, September 21, 2009
Whitelists, SaaS modify traditional security, tackle flaws
Posted on SearchSecurity.com:
"The SANS Institute's latest threat report should be a reminder to security teams that now is the time to rethink the traditional approach to security as 2010 plans are being prioritized, with a strategy to transform security into a capability that is as dynamic as the attack landscape.
Threat reports are usually a tough read as they highlight the successes of hackers without suggesting meaningful preventive actions that IT can take. But the SANS report, The Top Cyber Security Risks, found that traditional security is woefully inadequate in protecting the business infrastructure against infected websites and penetration through popular applications such as Adobe Flash and Microsoft Office."
"The SANS Institute's latest threat report should be a reminder to security teams that now is the time to rethink the traditional approach to security as 2010 plans are being prioritized, with a strategy to transform security into a capability that is as dynamic as the attack landscape.
Threat reports are usually a tough read as they highlight the successes of hackers without suggesting meaningful preventive actions that IT can take. But the SANS report, The Top Cyber Security Risks, found that traditional security is woefully inadequate in protecting the business infrastructure against infected websites and penetration through popular applications such as Adobe Flash and Microsoft Office."
Subscribe to:
Posts (Atom)
Posts
