Infosec Blog

Security Event Information Management - Gartner Report May 2010

2010-06-29T14:52:00.000+04:00

Mobile Data Protection - Gartner Report

2009-09-27T17:17:00.002+04:00

McAfee grabs Cisco man for global channel role

2009-08-20T20:46:00.000+04:00

McAfee has tasked its new global channel chief with improving its ease of doing business with partners.

Alex Thurber has joined the anti-virus giant from Cisco in the post of senior vice president of worldwide channel operations.

McAfee indicated that Thurber’s immediate areas of focus would be to improve ease of doing business by implementing infrastructure improvements. He has also been tasked with driving pay-for-performance programmes.

Before his 10-year stint at Cisco – where he most recently oversaw channel strategy for wireless and emerging technologies – Thurber founded and ran US IT services and consulting firm Thurber Works.

Thurber will report into McAfee’s worldwide sales chief Michael DeCesare, who said: “I am looking to leveraging his 17 years of network and security experience that has given him a deep understanding of what is required to build and grow a value-based channel.”

Thurber said: “McAfee’s commitment to being a world-class channel company and its singular focus on security has proven successful in helping to empower the channel.”

Oops, e-mail security vendor McAfee spills 1400 private names

2009-07-30T09:26:00.000+04:00

In a story just dripping with irony, e-mail security vendor, McAfee, has accidentally sent the contact details of some 1400 conference attendees in a spreadsheet attached to a thank you message.

On July 17, McAfee held a security conference at the Sydney Convention Centre. The event was well attended by 1408 guests. But in e-mail a week later thanking people for attending, McAfee added a spreadsheet containing the names, numbers, e-mail addresses, employment details and even dietary requirements of the 1408 people.

As expected, McAfee went into damage control and immediately posted a message to those who received the list asking them to delete it.

But by then the damage was done. Steve Murphy, IT consultant and one of the 1408 people on the list, said the incident was “a real concern”.

“McAfee is brushing over it saying that it was just contact details, but it was the full registration database,” he said. “It is commercial-in-confidence information but these days social engineering is one of the most important aspects of security – it’s the kind of information that anyone can use.”

Murphy, who posted screengrabs of the emails on Flickr, discovered the mistake when he read the email newsletter and follow-up message.

“When I received the second email I was a little amused – until I opened the file and saw what was in there. Once I found out the details, I was horrified.”

A spokesperson for McAfee said the company sincerely apologised for the outcome and the inconvenience caused.

"Due to a human error, the contact list for a seminar [held two weeks ago in Sydney] was mistakenly attached to a promotional e-mail being sent to conference delegates. This contact list included common conference registration information but did not include any financial information," the spokesperson said.

"McAfee managed to intercept this e-mail before it was sent to all recipients, so it is uncertain how many recipients received the list."

McAfee has taken "the appropriate steps" to inform people of the mistake.

"We apologise for this error and are taking steps to ensure it doesn't happen again."

Let’s hope the “appropriate steps” to prevent this type of data loss includes the use of a McAfee Total Protection for Internet Gateways.

By combining email and web security with data loss prevention in one affordable solution, McAfee Total Protection for Internet Gateways helps you protect against malware attacks and keep sensitive information secure, according to the company.

“Automatic enforcement of industry and regulatory controls – Apply policies consistently to stop sensitive and protected data from leaving the enterprise through email and web traffic.”

McAfee getting more aggressive on cloud-based security

2009-07-21T08:38:00.000+04:00

McAfee Monday says it intends to expand its security-as-a-service offerings in recognition that customers are opting more and more to adopt cloud-based deployments.

"We already have a good foundation for this," says Marc Olesen, McAfee's senior vice president and general manager of the new software-as-a-service business unit. McAfee Total Protection Service, which has about 5 million users, is primarily cloud-based for endpoint and mail security scanning. In addition, McAfee's Web Protection Service, wholly in the cloud, provides URL filtering and reputation analysis, while the company's Vulnerability Assessment service can scan Internet-facing systems to discover software vulnerabilities.

But McAfee anticipates a much wider push into security-as-a-service in the course of the coming year.

For instance, the company envisions "adding an inside scan, which is not something we deliver today as security as a service," Olesen says. "Today, it's still outside the firewall."

McAfee's Foundstone Enterprise product can be used to scan the corporate intranet, but the company is looking at how to make use of the underlying technology to provide an internal scanning service.

Another area of focus is further developing a cloud-based management console, according to Olesen. "Customers are telling us they want the management in the cloud," he says. "They can get started quickly with it."

One customer, Philadelphia-based Gemino Healthcare Finance, has found it much easier to use McAfee's Web-based management in the cloud for the past two years than having to install and maintain an antimalware management console in-house on a server.

"It's a huge reduction in maintenance," says Peter Herschel, director of IT at the 18-person outfit. He says he's more or less on his own managing all the servers and desktops for the company, which provides financing to hospitals and others healthcare organizations. "I need basic security kept simple."

McAfee is examining methods for log archiving in the cloud, and in particular will be looking at three vertical industries -- telco providers, financial and healthcare -- where new security-as-a-service offerings can be delivered.

McAfee will look at services that telco providers can not only use themselves but offer as services to their customer base. The vendor also intends to expand its e-mail filtering offering to include continuity services.

Not all types of security protection readily lend themselves at this point to a cloud-based deployment, Olesen acknowledges. Data-loss prevention and unified-threat management products, for instance, do not appear to be candidates, but the management of them could.

"It's a gradual shift to the cloud," Olesen says, adding McAfee will be making investments there, mindful that key competitors such as Symantec are also zeroing in on cloud-based services. While not announcing a specific timeframe to achieve the efforts described, McAfee expects that many of its goals will be accomplished within the course of the year.

Heightened data-loss prevention needs fuel arms race between vendors

2009-06-27T08:27:00.000+04:00

Data-loss prevention is rapidly becoming the next big battlefield in IT security.

Innovative start-ups in DLP, such as Reconnex, Orchestria, Vontu, Provilla and Tablus have been swallowed up by McAfee, CA, Symantec, Trend Micro and RSA (the security division of EMC), respectively, though independents such as Fidelis Security Systems remain, in addition to open source. With acquired strength in DLP, the established security vendors are now determined to use DLP in new ways, by integrating it into storage systems, desktop anti-malware suites and more.

Though deploying commercial DLP still is expensive — a $100,000 price tag and up is not unusual — the process of filtering content to spot leaks of data, intentional or otherwise, shows signs of starting to become commoditized.

“There’s a lot of duct tape and glue right now to make this work the way you really want,” says Gartner analyst Eric Ouellet of the sophisticated DLP systems on the market today that can watch for sensitive content and block it, or hand it off for encryption before transmission.

Though fairly new, DLP can work remarkably well in detecting sensitive data and issuing warnings or blocking it. But there’s still often a lot of manual labor in registering content and defining policies. Businesses shouldn’t be jumping into it thinking they can instantly “boil the ocean,” Ouellet cautions. Rather, he says they should focus on four or five big categories of data they want to subject to DLP rules. “You have to train the system until you get comfortable with it.”

But what may be a somewhat arduous and expensive process today could give way to much more commoditization and ease of use within the next two years, Ouellet adds. That’s because security vendors see demand for DLP not just in large organizations, such as the financial institutions and insurance companies where DLP first caught on, often driven by regulatory-compliance concerns, but in any type of business that wants to protect sensitive data.

While Microsoft and Cisco haven’t bought DLP start-ups, they’re partnering with RSA to use RSA’s DLP classification technology. The first fruit of the RSA DLP alliance has been Cisco's just-announced integration of DLP into Cisco IronPort.

“We’ve been an early adopter of a number of RSA technologies,” says Erik Heidt, assistant vice president and manager of information technology at Cincinnati-based Fifth Third Bank, which uses IronPort for gateway e-mail security filtering.

Heidt plans to make use of the DLP capability in IronPort as part of an enterprise-wide DLP strategy, though he acknowledges “it could be time-consuming to get data policies written for this.”

Wes Wright, chief technology officer at Seattle Children’s Hospital, sees DLP as the next step to augment the encryption, which is based on GuardianEdge, that the healthcare organization recently deployed for endpoint protection. It seems likely the hospital will make the investment in DLP because management is getting behind it.

"You want to be able to set policies on what’s allowed, and you want to block,” says Wright. The hospital knows where patient health information is stored but having DLP controls on what happens to it after authorized personnel access it would be a big plus.

“I'd do both gateway and endpoint DLP,” says Wright, noting he’s focusing DLP evaluation efforts mainly on vendor products that can do both.

Despite the challenges of DLP today, it seems likely the enthusiasm for it is going to project DLP way beyond its first-generation existence on the gateway and desktop.

In fact, Ouellet even predicts the future will eventually usher in “the content-aware enterprise” where DLP is seamlessly linked into digital rights management and identity and access management. And DLP could provide the foundation for more efficient e-discovery of electronic records.

That’s the vision anyway, and a number of security vendors are eager to embrace it, with pledges of integration with other products frequently heard these days.

“At the end of the day, it’s about information control,” says Gijo Mathew, vice president of security management at CA. “Once you’ve analyzed the information accurately, you can do a lot more than just block it. You can tag it for retention and encryption. There's management of that information, and it could be the foundation for e-discovery systems in litigation.”

In January, CA acquired start-up Orchestria and has renamed the gateway and desktop monitoring product CA DLP. CA DLP is integrated with encryption products from Voltage, PGP and BitArmor so data tagged as sensitive can be automatically handed off to be scrambled before transmission, if it’s not blocked.

“CA is very big in identity and access management,” says Mathew, noting DLP can be tied to CA's identity management product or anything LDAP enable such as Microsoft Active Directory to set DLP policy. If there's a weak point in DLP today, says Mathew, it's that DLP can’t read encrypted documents. “If it can’t read it, it can’t analyze it to block it.”

Hundreds of customers use CA DLP, including Bloomberg, which includes it with their terminals, says Matthew, and even competitor Symantec in the past OEMed Orchestria for content-filtering in Symantec Enterprise Vault.

Symantec acknowledges that's the case but prefers not to discuss that, and instead points toward the security firm's own future plans for Symantec DLP, based on its Vontu acquisition.

What was once Vontu is now called Symantec DLP Discover, Monitor, Prevent and Management with about 300 corporate and government customers using it, says Rob Greer, Symantec’s senior director product management for data-loss prevention products.

Symantec has integrated DLP into its BrightMail e-mail security gateway. There’s also been integration with the Symantec Altiris management software. Altiris v. 7 can be used to deploy and troubleshoot endpoint DLP Prevent and Discover agents.

“Today with the workflow capabilities of Altiris, we can communicate between an endpoint DLP agent and Symantec Endpoint Protection agent,” says Greer.

This capability can be used to solve problems, he notes.

“Say an end user on a laptop is about to check out for the day and copy the crown jewels of the business,” Greer says. “We could today identify that action is occurring, block it with the endpoint DLP, the incident gets recorded in the DLP system, and a message sent to Altiris to lock down that USB drive and doesn’t let anything leave that laptop until the issue is resolved.”

Although today Symantec isn’t at liberty to discuss specific future plans, Greer said work to integrate DLP into Symantec storage systems can be expected. Symantec DLP Discover, for example, has already been integrated into Backup Exec System Recovery. And Symantec intends to introduce some open APIs for DLP.

Arch-rival McAfee is also out on the DLP battlefield, having acquired start-up Reconnexat the end of last year and now has about 500 DLP corporate customers, according to Mike Siegel, McAfee’s senior director of product management.

McAfee’s Host Data Loss Prevention and Network DLP Prevent and Monitor all work with McAfee’s flagship ePolicy orchestrator console, and the host DLP is integrated with McAfee's SafeBoot encryption software to invoke encryption of sensitive data.

McAfee’s host DLP software can be used alone or as an add-on to the flagship endpoint anti-malware security software that's part of McAfee's Total Protection for Data Endpoint suite. But there's still much more to be done, Siegel says.

McAfee is looking at taking the DLP engine and adding it to its Web gateway, e-mail gateway, firewall and intrusion-protection gear, something likely to occur next year, Siegel says.

The DLP battle for the enterprise is under way.

RSA, which has its own Data Loss Prevention Suite based on the Tablus acquisition but has also chosen to strategically partner with Microsoft and Cisco in a DLP technology-sharing arrangement, says DLP is going to end up as the “eyes and ears in many places,” says Tom Corn, vice president of product strategy at RSA.

DLP can be viewed as a standalone product or as a feature in other products, Corn points out. RSA, as part of storage giant EMC which also owns VMware, will be putting DLP capabilities into products in all those realms — though that may take time.

“Our DLP today can see inside Solaris file systems today and in our eRoom product line, and over time, there are reasons why classification technology should get built with back-up solutions,” Corn says. While a lot of the work is still to be done, the vision at EMC/RSA calls for DLP to play a role in eDiscovery and life-cycle management.”

What’s not widely known about DLP is how much work from experts in language and library sciences is required to make content-monitoring work, says Corn. DLP is going to be used not just by speakers of English or other European languages, but by speakers of Chinese and Japanese, and RSA will soon come out with DLP products for that.

Security firms warn of Michael Jackson spam messages

2009-06-27T08:26:00.000+04:00

Computer security firms are warning users to be vigilant about spam messages capitalizing the sudden death of U.S. pop star Michael Jackson.

The 50-year-old "King of Pop" was pronounced dead on Thursday afternoon at the Medical Center of the University of California in Los Angeles, after he was in a full cardiac arrest.

Security firm Sophos on Friday reported that about eight hours after Jackson's death, its experts witnessed the first wave of spam messages taking advantage of the breaking news in the subject line and body of the email.

In these messages, the spammers claimed that they have vital information about the death of Michael Jackson to share and asked for a reply.

Experts said the spammers can easily harvest recipients' contact information via a free live email address if users reply to the spam message.

"The untimely death of the King of Pop, Michael Jackson, has sent shockwaves through the entire world -- but unfortunately, this type of huge news story is also the perfect vehicle for spammers to snare vulnerable computer users," Graham Cluley, a senior technology consultant at Sophos, said in a statement.

"These spammers are relying on curious users to reply to their bogus claims, but if you receive one of these messages you just need to delete it," he added.

In addition, security experts at Sophos discovered that cyber criminals were taking advantage of the passing of U.S. actress Farrah Fawcett, a 1970s TV icon who also died on Thursday, to spread fake anti-virus software.

Bad news offers opportunity to spread malicious software, noted Guilherme Venere, an expert at security firm McAfee.

"Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email," he wrote in a posting on the company's blog.

Venere said users should be wary of spam emails offering links to "news" or "pictures" of deceased celebrities, which most of the time will lead to websites touting pharmacy products and even result in the installment of malware on the computers

Cornell Suffers Massive Security Breach

2009-06-24T09:27:00.002+04:00

A stolen Cornell University computer has compromised the personal information of thousands of members of the University community. The computer contained the names and social security numbers of current and former students as well as current and former faculty and staff members.

The affected people totaled 22,546 current and former students and 22,731 current and former faculty and staff, amounting to 45,277 people in the Cornell community.

An internal memo sent Friday from University Auditor Mike Dickinson was obtained by WVBR. The message said that currently, no misuse of this sensitive information has been found. Also in the message, Cornell said that they have enlisted the help of Kroll Fraud Solutions to "provide fraud counseling and credit monitoring services at the university's expense."

WVBR spoke early on Tuesday afternoon with University spokesman Simeon Moss who confirmed that a security breach had occurred and that an internal investigation is now underway. Moss declined to comment further.

Shortly after WVBR broke the story on Tuesday, the University notified all students and staff affected by the breach via e-mail late in the afternoon. The e-mail contained preliminary information about the breach and came in advance of formal notifications via U.S. mail.

The official letter will contain a full description of the services the University is offering at its expense.

The computer itself was stolen earlier this month, though University officials only became aware of the security issues late last week. The computer had been issued to a member of the Cornell technical staff, who was correcting transmission errors found in the processing of files. The data was being used for troubleshooting, and under information security policy, should have been in a physically secure location. University officials have stated that the employee's actions violated this policy.

Tune into WVBR this afternoon for continuing coverage and keep your browser on WVBR.com for updates. WVBR will also have exclusive interviews with Cornell officials as the story develops.

Gartner sees better days ahead for security budgets

2009-06-23T10:06:00.000+04:00

The dismal economy has put the brakes on a lot of security projects, but the need to maintain the basics and automate some security functions has fueled interest in managed security services and some specific security areas, according to analysts at Gartner Inc.

Despite the dour economy, core security software functions are on pace to continue to grow, said Adam Hils, a principal research analyst with Gartner Research. Antivirus, antimalware and email security will continue to gain interest. New projects will be driven by regulatory compliance initiatives and areas affected by cost cutting measures.

"Companies are still doing the blocking and tackling," Hils said. "We are still seeing security budgets about flat, while the rest of IT is in a state of decline."

The spending data is a mixture of a fourth quarter 2008 survey conducted by Gartner and research conducted by Gartner analysts in the first half of 2009. It will be presented by Hils along with some predictions at the Gartner Information Security Summit next week at the Gaylord National Harbor Resort & Convention Center in Washington, DC.

Companies eager to find value in automating some security processes are turning to managed security services. Telecom providers, AT&T and Verizon have been traditionally strong players in the space, offering security packages on top of telecom services. But Gartner says investments continue around improving network security with the deployments of multifunction firewalls and intrusion prevention systems.

"We still see support for firewalls and intrusion protection system, especially where encryption and data leakage prevention being done," Hils said.

The economy is also shifting buying habits, according to Gartner. More and more companies are also tuning to a single vendor for most security needs, buying from suite vendors that have an established portfolio of products rather than best of breed vendors selling a niche technology. By 2010, companies will favor a single vendor for security applications.

Symantec ranked the highest in a list of security software and appliance vendors currently used by companies. It was followed by Microsoft, McAfee, Cisco and Trend Micro. Meanwhile, Symantec led the pack of managed security services providers, followed by IBM ISS, VeriSign and AT&T.

Hils said many vendors are reporting success targeting small and midsized businesses, where spending on security continues. Larger vendors have the ability to put large projects on hold and wait out a dismal economy, he said.

"Despite fact that many are getting pummeled in this economy, the rate of security spending is higher among small and midsized businesses," Hils said. "The small guys don't really have a full foundation and can't afford to wait. They have compliance regimes to meet."

Hils and other analysts say there is some signs making people more optimistic. In the financial services industry, which has been hit particularly hard, nearly half of the 175 security pros surveyed by SearchFinancialSecurity.com said their ability to obtain funding for security projects, products and services will improve in the second half of 2009. That survey ranked authentication, encryption and network access control (NAC) technologies as high budget priorities over the next year.

"Security projects around enterprise apps are being shelved and big projects that aren't demand driven are being shelved," Hils said. "While those projects are being put off, the basic stuff is still being done."

Microsoft ranks No. 7 in anti-virus on eve of beta launch

2009-06-23T10:04:00.000+04:00

One day before Microsoft releases a beta version of its new anti-virus software, a report on the 2008 security-software market share makes clear perhaps why Microsoft is trying to regain some ground: It's far behind the competition.

Analysis firm Gartner said today that Microsoft is in seventh place with 2.3 percent of the worldwide security-software market share.A report released today shows Symantec is the uncontested leader with 22 percent, followed by McAfee at 10.9 percent.

Then again, it's no secret Microsoft's anti-virus software - up to this point, mainly Windows Live OneCare - hasn't been a market leader.

On the other hand, Microsoft's security-software revenue did grow 16.3 percent from 2007 to 2008, according to Gartner. The worldwide market itself defied the poor economy by growing 18.6 percent year over year. Perhaps it's not a bad sector for Microsoft to focus on.

On Tuesday morning, Microsoft is releasing a beta version of its new software, Microsoft Security Essentials (formerly known as Morro). No final release date has been announced, but the program will be free.

Microsoft's market share was so small, in fact, that I had to call Gartner to get Microsoft's numbers; they aren't included in the report. Here are the numbers:

Microsoft

2008 revenue ($M)	2008 market share %	2007 revenue ($M)	2007 market share %	2007-08 growth %
315.0	2.30	270.9	2.38	16.3

Source: Gartner

The rest

Facebook Security Hole Remains Unplugged for Two Weeks, Hackers Say

2009-06-23T10:03:00.000+04:00

A team of bloggers has hacked into Facebook using unsophisticated means and say the company has not repaired the security hole despite telling the company of the vulnerability over two weeks ago.

The creators behind FBHive, a new blog dedicated to the social networking site,says their hack can expose information that identity thieves could profit from.

Caroline McCarthy of CNetNews.com has more:

No, it won't expose your personal photos or wall posts. But, FBHive says, it can bring up all the "basic information" that you have entered into your profile, even if you've elected to keep that information private. This is the section that includes location, gender, relationship status, relationships (significant other, parents, siblings), political views, religious views, birthday, and hometown. That's enough to be a problem in the identity theft department, as it could easily expose frequent password hints like dates of birth and mothers' maiden names.

To prove their hack worked, the team posted the profile information of Facebook founder and CEO, Mark Zuckerberg, as well as profile information from the founder of Digg, Kevin Rose, and famous blogger, Cory Doctorow.

FBHive says the hack still works today and was communicated to Facebook on June 7.

"We are not malicious hackers by any means," the article announcing the hack said, "and our skills are far from advanced. We here at FBHive are fans of Facebook, but when a security hole as big as this is discovered and brought to their attention, it shouldn’t take 15 days to fix."

Facebook told McCarthy that it is looking into the vulnerability and will have more information soon.

Intellectual property top favourite of cyber criminals

2009-06-22T08:07:00.002+04:00

An interesting Article By Reena Amos Dyes

Vital digital information, such as intellectual property rights and customer data, is increasingly being transferred between companies and continents and lost.

An average company has $12 million (Dh44m) worth of sensitive information stored abroad and companies lost on an average $4.6m worth of intellectual property in 2008.

According to a report by McAfee, a computer security company, titled Unsecured Economies, Protecting Vital Information, elements in certain countries are emerging as clear source of threats to sensitive data, especially to intellectual property.

Three countries in particular stood out in the McAfee survey conducted as part of the report.

Respondents cited China, Pakistan and Russia as the worst-rated countries when it comes to protection of digital assets.

Pakistan, China and Russia, in that order, were also perceived to have the worst reputation for pursuing or investigating security incidents. Respondents cited corruption and inadequate skills in law enforcement and legal bodies as top reasons for the rating.

Twenty-six per cent of respondents had purposely avoided storing and/or processing data in China, 27 per cent in Pakistan and 19 per cent in Russia.

According to the report, a number of factors are influencing the trend for companies to store vital information offshore.

While 26 per cent cited cost reduction as a reason for outsourcing, other drivers for storing or processing sensitive information outside of the home country were supply chain partner efficiency (33 per cent) followed by better expertise (30 per cent) and increased safety (29 per cent).

Talking to Emirates Business about the dangers of outsourcing, Greg Day, Emea Security Analyst, McAfee Avert Labs, said: "Cyber criminals see this vital information as a high value commodity because it is easily transportable and can be sold on the black markets for huge returns and are devising increasingly devious ways to infiltrate companies.

"Cyber thieves have expanded their activities beyond basic hacking and stealing of credit card data and personal credentials. Their emerging target is intellectual property. Why sink all that time and money into research and development when you can steal it?

"Credit card fraud and identity theft have moved into the so-called "cash cow" phase of criminal strategy. In other words, it's a source of revenue, but there's not much room for growth, so criminals are looking for the new stars of their portfolios."

Mike Smart, Senior Product Marketing Manager, Emea, McAfee, said: "When considering outsourcing any part of a business, there are many considerations. Primarily, it is important to look at whether the process of outsourcing may increase business risk.

"For example, it is necessary to look at whether the outsourcing agent has adequate policies and processes in place to protect intellectual property in terms of information. Examples of information that would require a high assurance level are competitive documentation, engineering design schematics, customer data, business plans or proprietary financial information."

"Different regions have different legislation in place to protect data," said Smart. In some regions, there simply is not the maturity in the market around the implementation of what some markets might call best practices. So, there may be an increased risk that a failure in best practices within the outsourcing organisation would result in a data breach. This ultimately would impact the brand – one of the most valuable assets for any firm.

According to the report, with many companies having subsidiaries and satellite offices around the globe and an increased need for collaboration, the traditional operational boundaries are now disappearing. Informational assets are subject to various jurisdictions, infrastructure and cultures, including those of suppliers and partners.

This trend has made it more difficult to lock down intellectual property in order to ensure its safety. Smart said: "Often there is an assumption that an outsourcing company would provide the same level of protection around data that the company that owns the data would. This is a fundamental mistake.

"When looking for an outsourcing partner it is worth making sure that due diligence is done specifically around their corporate governance [best practices in the protection information]. In addition availability of valuable data [information] is also key, so it is important to ensure that the potential partner has established strong business continuity procedures and that they have adequate Service-Level-Agreements around security and availability of information." Considering how much vital information companies are moving offshore in the current economic climate it is more important than ever that this data is secure. The research findings suggest this may not necessarily be the case. Respondents in countries such as Brazil, China and India spent more on security as a percentage of their overall IT budgets, while respondents in developed countries such as Germany, Japan, the United States and the United Kingdom spent less on protecting their vital information.

Thirty-five per cent of Indian, 33 per cent of Chinese and 27 per cent of Brazilian companies reported spending 20 per cent or more of the IT budgets on security, compared to 20 per cent of German, 19 per cent of US, 10 per cent of Japanese, and four per cent of UK firms.

The UK reported the least amount of spend on security as a percentage of their IT budget, with 44 per cent of the respondents spending zero to five per cent of their budgets on security.

When comparing the motivators of information security investments, there is a striking difference in attitudes across the globe. It appears that decision makers in many countries, particularly developed ones, are reactive rather than proactive.

Compliance with regulation is the key motivator in Dubai, Germany, Japan, the UK, and the US.

However, 74 per cent of Chinese respondents and 68 per cent of Indians reported making decisions based on gaining and maintaining a competitive advantage in attracting customers.

To make matters worse, there are a minority of companies in some countries who did not pursue a security breach incident. This suggests that when intellectual property is stolen in certain countries, it will not be reported.

Among Chinese firms, 28 per cent said they do not pursue security incidents because of the cost, and 35 per cent do not pursue them to avoid bad publicity.

Twenty-three per cent of German and Japanese firms said they do not respond to incidents because of the cost.

Smart said: "Often this is because different geographical regions have different perspectives and culture around the value of data. In regions where data privacy directives are either not ratified or specific legislation is not in place, we would tend to see culturally that less value is associated to protecting their information [and potentially the information that may have been outsourced to the region]."

"Specific to Dubai, there were some interesting statistics in McAfee's Unsecured Economies report; Dubai was included in the top three countries that had chosen to outsource sensitive data (though they chose not to outsource any of their own intellectual property).

However, Dubai was in the bottom when it came to doing risk assessments during the outsourcing process.

This tells me that businesses in Dubai value intellectual property [because they do not outsource it], but do not value sensitive data [which may include customer data] because they are more than happy to outsource it without doing risk assessments," said Smart. "In addition, in Dubai there was significantly lower than average money spent on protecting vital information [only Japan was lower], and only 28 per cent of respondents in Dubai thought they were not spending on protecting vital information."

So, how can companies that are outsourcing ensure protection of their data and intellectual property? According to McAfee, even though it is often a case of "out of sight is out of mind", this is not an approach that organisations can afford to take when outsourcing.

Much due diligence and risk assessment needs to be done during the initial phases of an outsourcing project.

In some situations a risk assessment may help organisations to discover that the risk is too high to outsource information.

In addition, successful outsourcing agreements are reached when the two business integrate their architecture [establishing Virtual Private Networks and providing access to internal content management systems or intranet systems].

Ensuring that the organisation that has chosen to outsource data builds in policies and processes that take into account the outsourcing agent will also help to reduce risk.

Smart said: "Also important is the provision of training to the outsourcing agent to help them understand the organisation's policies around protecting vital information, and also making sure that service level agreements are put in place to ensure adherence to these policies."

UTM - Latest Gartner Report

2009-06-21T10:47:00.001+04:00

NitroSecurity Delivers Real-Time Monitoring and Analysis for Emerging Common Event Format (CEF) Information Security Standard

2009-06-17T17:58:00.000+04:00

Long-time innovators of information security technology, today announced full support of the Common Event Format (CEF) within the company’s award-winning Security Information and Event Management (SIEM) platform, NitroView. The support of this emerging standard provides compatibly with event and log collectors from other compliant IT security companies, allowing businesses invested in legacy SIEM technology to easily add support for real-time monitoring and analytics offered by NitroSecurity. Through support of CEF, NitroView can now be used either as a standalone content-aware SIEM, or to supplement existing SIEM deployments, overcoming the scalability and performance concerns which have notoriously plagued these systems.

Legacy SIEM users are running into several performance barriers: as networks grow, the amount of information that needs to be collected per second also grows, often to hundreds of thousands of events per second; at the same time, the growing size of a SIEM’s data store causes incident response performance to slow, limiting the usefulness of the SIEM to log management and reporting functions. NitroView’s high-performance architecture overcomes these obstacles, providing event collection rates of millions of events per second, while maintaining real-time operations for data investigations, analysis, and response.

The support of CEF provides a common event format that now enables the deployment of NitroView in parallel to legacy SIEMs, in a manner that is non-disruptive to the incumbent systems. For companies looking for real-time analytics and content-aware SIEM, NitroView’s support of CEF enables them to use their existing log and event collection facilities to feed information to NitroView’s high-speed threat detection and incident response engine. For companies requiring higher event collection rates, NitroView Receivers can collect events at high rates, correlate and aggregate those events to manageable rates, and pass them on to the legacy system in the common event format. The flexibility of deployment and a starting price of just $29,995—a fraction of the cost of legacy SIEMs—make NitroView a logical choice for budget-conscious companies who are looking to extend their information security capabilities during a tough economy.

“Many companies are heavily invested in SIEM, and to disrupt that investment can sometimes be counter-productive, especially in larger networks," said Ken Levine, chief executive officer of NitroSecurity. "However, the need for greater performance is critical, as the level and complexity of threats increases. While NitroView is typically purchased as a total replacement for legacy SIEM, customers now have the option of supplementing their existing investments rather than replacing them outright, using a system that provides the real-time, operational support they need to improve their information security efforts, with minimal cost and zero impact to existing operations.”

About NitroView Enterprise Security Manager (ESM)

NitroView ESM is the first and only content-aware Security Information and Event Management platform. Using patented data storage and management technology, NitroView is able to collect and manage billions of events, logs, network activity flows, and even application content—while maintaining the real-time analytics that are required for rapid incident response. NitroView’s unique capability to monitor and analyze application content along with typical security events and logs provides unparalleled visibility into data usage, provides unparalleled threat detection and fraud detection capabilities. NitroView is Common Criteria certified to EAL3, and is validated by the FIPS140-2 level 2, and is able to support FISMA rapid response requirements as well as DOD and NIST directives. NitroView ESM is available now, with complete solutions starting at $29,995 USD.

About NitroSecurity

NitroSecurity develops security information and compliance management solutions that protect business information and infrastructure. NitroSecurity solutions reduce business risk exposure and increase network and information availability by removing the scalability and performance limitations of security information management. Utilizing the industry’s fastest analytical tools, NitroSecurity identifies, correlates and remediates threats in minutes instead of hours, allowing organizations to quickly mitigate risks to the organization’s information and infrastructure. NitroSecurity serves more than 500 enterprises across many vertical markets, including healthcare, education, financial services, government, retail, hospitality and managed services. For more information, please visit nitrosecurity.com.

NIST Releases Information Security Handbook for Managers

2009-06-17T16:02:00.000+04:00

The National Institute of Standards and Technology (NIST) announced Nov. 9 the release of Special Publication 800-100, Information Security Handbook: A Guide for Managers. The handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Even though the document is geared toward the federal sector, the handbook can also be used to provide guidance on a variety of other governmental, organizational or institutional security requirements and is useful to any manager who requires a broad overview of information security practices, according to NIST.

To view NIST's Information Security Handbook: A Guide for Managers, visit http://csrc.nist.gov/publications/nistpubs/#sp800-100

Information Security Rises to the Top

2009-06-17T08:38:00.000+04:00

Information security ceased being merely a desirable option long ago. But even its long-extant status as a requisite pales in comparison to its current situation. Simply put: Information security is the glue that holds any information-age society together. No other endeavor may be as important to our technology-driven society.

As the information age unfolded, networked nations embraced information technology across a broad spectrum of military, civil government and business areas. New uses quickly emerged, and applications never before imagined became necessities in short order. As a result, the infosphere transitioned from a great convenience to a foundation of 21st century society. But, as with any valuable asset, the infosphere now is the target of a wide range of malevolent operators—and, unlike in the typical Hollywood ending, the bad guys now are winning.

The greatest threat to cyberspace no longer is the clever hacker. Now, organized crime and hostile governments are infiltrating every corner of the information realm. Their motives may differ widely, but their effects can be devastating to a variety of degrees. In purely financial terms, banks can be looted of major holdings through cyberspace. Every major financial institution has set aside funds to cover cybertheft losses each year. However, those losses are mounting, and banks soon may no longer be able to cover those costs.

Beyond local finances lies the potential for collapse of the economic system—not unlike that of last year’s credit market crash. In this scenario, cybermarauders could fleece depositors of their financial holdings or hijack online commercial transactions to divert money away from merchants and toward the perpetrators’ own financial accounts. These cybermarauders could be criminal profiteers or rogues seeking to bring down a Free World nation’s economy. Regardless of their intent, the effect would go beyond mere financial losses. People would lose confidence in their business institutions and in online transactions of any kind, which likely would lead to a collapse of the banking industry along with e-commerce.

In broader terms, cyberspace criminals also threaten innovation and economic growth. Cyberthieves are running rampant through the infosphere, and snatching money may not be their only goal. Industrial espionage has become a major profit enterprise for seasoned intruders who can either steal specific business secrets on order or sell independently purloined information to the highest bidder. This crime threatens to undermine the entire research and development enterprise, as companies that dedicate billions of dollars to innovation could see their competitive advantage wiped out with the swipe of a cursor. A nation such as the United States, which has built its economy around innovation and entrepreneurship, could see its economic edge disappear rapidly as competitors are able to market stolen innovations without factoring in research costs.

All of these threats confront the military. Modern militaries have committed to network-centric forces, and therein lies the vulnerability that every adversary hopes to exploit. The currency of the network-centric military is information, and cybercrime or espionage can wreak the same degree of devastation to military operations that they pose to the economy. With the military adopting commercial information technologies and capabilities, the security threat that challenges the private sector extends to the military arena.

So the seeds of destruction are sown. The challenge is to prevent that bitter harvest without destroying the very field that needs to be protected.

As with any type of security, the weakest link defines its ultimate effectiveness. The information age cannot hope to implement a perfect information security architecture—attaining such an environment is neither reasonable nor desirable. But government, industry and the public can work together to implement effective information security. Many information technology experts believe that government can—and should, without delay—take the lead in this effort.

But even if government establishes a common set of standards agreed to by all, security will remain a long-term ongoing effort for all users of information technology. Risk management can, and must, play a role in information security, but implementing it no longer is a matter of choice—it now is a matter of survival.

Network Access Control - Mar 2009 Magic Quadrant

2009-06-17T08:34:00.000+04:00

Symantec, McAfee forced to change subscription methods after huge US fines

2009-06-15T09:33:00.001+04:00

Information technology security firms Symantec and McAfee are being forced to change automatic subscription renewal methods for their Australian customers after their US parent companies were fined over $900,000 for charging customers' credit cards without permission.

The two firms were the target of an investigation by the New York Attorney-General, Andrew Cuomo, after complaints were received from customers who were charged without their knowledge.

"Companies cannot play hide-the-ball when it comes to the fees consumers are being charged," Cuomo said.

"Consumers have a right to know what they are paying, especially when they are unwittingly agreeing to renewal fees that will not appear on their credit card bill for months."

Both US companies said they will be more upfront with users about renewal processes, and will make it easier for customers to change subscription details.

Symantec Australia spokeswoman Debbie Sassine says the company appreciates the matters being brought to the company's attention, and is working to change customer subscription processes.

"We will continue to work in the future to comply with the office of New York's attorney general to make sure their concerns are fully addressed. Customer service is our top priority and we will continue to look for opportunities to improve our auto-renewal process and make it as user-friendly as possible for our customers."

"We have improved our disclosures to ensure that the auto-renewal process is clear to our customers, specifically making the ability to opt out of the auto-renewal feature more clear and accessible."

McAfee Australia enterprise sales director, Tim Clemens, said the company is changing its processes but maintains the position that auto-subscription is critical for their products. If a customer does not receive an urgent update, he argues, their computer could become infected with a deadly virus.

"Even a short, unintentional lapse could result in irreversible damage or irretrievable data loss," he said.

"McAfee will provide electronic notification to consumers before and after the subscription is renewed, and will provide refunds within 60 days to any consumers who request them."